From fdf9333255b50435890322559603c7bda4ed5771 Mon Sep 17 00:00:00 2001 From: Rimsha Masood Date: Thu, 19 Mar 2026 14:53:36 +0100 Subject: [PATCH 1/6] added dependency-update workflow template --- .github/workflows/dependency-update.yml | 60 +++++++++++++++++++ doc/github_actions/dependency_update.rst | 14 +++++ doc/github_actions/github_actions.rst | 1 + .../github/workflows/dependency-update.yml | 60 +++++++++++++++++++ .../tools/workflow_integration_test.py | 25 +++++--- 5 files changed, 152 insertions(+), 8 deletions(-) create mode 100644 .github/workflows/dependency-update.yml create mode 100644 doc/github_actions/dependency_update.rst create mode 100644 exasol/toolbox/templates/github/workflows/dependency-update.yml diff --git a/.github/workflows/dependency-update.yml b/.github/workflows/dependency-update.yml new file mode 100644 index 0000000000..69b7a1dff1 --- /dev/null +++ b/.github/workflows/dependency-update.yml @@ -0,0 +1,60 @@ +name: Dependency Update + +on: + schedule: + # Every Monday at 03:00 UTC + - cron: "0 3 * * 1" + workflow_dispatch: + +jobs: + dependency-update: + name: Dependency Update + runs-on: "ubuntu-24.04" + permissions: + contents: write + pull-requests: write + + steps: + - name: Check out Repository + id: check-out-repository + uses: actions/checkout@v6 + + - name: Set up Python & Poetry Environment + id: set-up-python-and-poetry-environment + uses: exasol/python-toolbox/.github/actions/python-environment@v6 + with: + python-version: "3.10" + poetry-version: "2.3.0" + + - name: Audit Dependencies + id: audit-dependencies + run: poetry run -- nox -s dependency:audit + + - name: Update Dependencies + id: update-dependencies + run: poetry update + + - name: Check for poetry.lock Changes + id: check-for-poetry-lock-changes + run: | + if git diff --quiet -- poetry.lock; then + echo "changed=false" >> "$GITHUB_OUTPUT" + else + echo "changed=true" >> "$GITHUB_OUTPUT" + fi + + - name: Create Pull Request + id: create-pull-request + if: steps.check-for-poetry-lock-changes.outputs.changed == 'true' + uses: peter-evans/create-pull-request@v7 + with: + commit-message: "Update poetry.lock" + branch: dependency-update/poetry-lock + delete-branch: true + title: "Update poetry.lock" + body: |- + Automated dependency update for `poetry.lock`. + + This PR was created by the dependency update workflow after running: + - `poetry run -- nox -s dependency:audit` + - `poetry update` diff --git a/doc/github_actions/dependency_update.rst b/doc/github_actions/dependency_update.rst new file mode 100644 index 0000000000..807ffeefdd --- /dev/null +++ b/doc/github_actions/dependency_update.rst @@ -0,0 +1,14 @@ +dependency-update +================= + +This workflow updates the project dependencies using Poetry. + +It first runs a dependency audit via ``nox -s dependency:audit`` and then updates the dependencies using ``poetry update``. +If the ``poetry.lock`` file changes, a pull request is created automatically. + +Example Usage +------------- + +.. code-block:: bash + + tbx workflow install dependency-update \ No newline at end of file diff --git a/doc/github_actions/github_actions.rst b/doc/github_actions/github_actions.rst index e9139e8869..d9798ac602 100644 --- a/doc/github_actions/github_actions.rst +++ b/doc/github_actions/github_actions.rst @@ -8,3 +8,4 @@ python_environment security_issues + dependency_update diff --git a/exasol/toolbox/templates/github/workflows/dependency-update.yml b/exasol/toolbox/templates/github/workflows/dependency-update.yml new file mode 100644 index 0000000000..45f5a145f2 --- /dev/null +++ b/exasol/toolbox/templates/github/workflows/dependency-update.yml @@ -0,0 +1,60 @@ +name: Dependency Update + +on: + schedule: + # Every Monday at 03:00 UTC + - cron: "0 3 * * 1" + workflow_dispatch: + +jobs: + dependency-update: + name: Dependency Update + runs-on: "(( os_version ))" + permissions: + contents: write + pull-requests: write + + steps: + - name: Check out Repository + id: check-out-repository + uses: actions/checkout@v6 + + - name: Set up Python & Poetry Environment + id: set-up-python-and-poetry-environment + uses: exasol/python-toolbox/.github/actions/python-environment@v6 + with: + python-version: "(( minimum_python_version ))" + poetry-version: "(( dependency_manager_version ))" + + - name: Audit Dependencies + id: audit-dependencies + run: poetry run -- nox -s dependency:audit + + - name: Update Dependencies + id: update-dependencies + run: poetry update + + - name: Check for poetry.lock Changes + id: check-for-poetry-lock-changes + run: | + if git diff --quiet -- poetry.lock; then + echo "changed=false" >> "$GITHUB_OUTPUT" + else + echo "changed=true" >> "$GITHUB_OUTPUT" + fi + + - name: Create Pull Request + id: create-pull-request + if: steps.check-for-poetry-lock-changes.outputs.changed == 'true' + uses: peter-evans/create-pull-request@v7 + with: + commit-message: "Update poetry.lock" + branch: dependency-update/poetry-lock + delete-branch: true + title: "Update poetry.lock" + body: | + Automated dependency update for `poetry.lock`. + + This PR was created by the dependency update workflow after running: + - `poetry run -- nox -s dependency:audit` + - `poetry update` diff --git a/test/integration/tools/workflow_integration_test.py b/test/integration/tools/workflow_integration_test.py index cf85d01208..21f5eb100b 100644 --- a/test/integration/tools/workflow_integration_test.py +++ b/test/integration/tools/workflow_integration_test.py @@ -18,6 +18,7 @@ def test_with_default(cli_runner): "check-release-tag\n" "checks\n" "ci\n" + "dependency-update\n" "gh-pages\n" "matrix-all\n" "matrix-exasol\n" @@ -33,14 +34,20 @@ def test_with_columns(cli_runner): result = cli_runner.invoke(CLI, ["list", "--columns"]) assert result.exit_code == 0 - assert result.output == ( - "build-and-publish cd check-release-tag checks ci " - "gh-pages\n" - "matrix-all matrix-exasol matrix-python merge-gate pr-merge " - "report \n" - "slow-checks \n" - ) - + assert "build-and-publish" in result.output + assert "cd" in result.output + assert "check-release-tag" in result.output + assert "checks" in result.output + assert "ci" in result.output + assert "dependency-update" in result.output + assert "gh-pages" in result.output + assert "matrix-all" in result.output + assert "matrix-exasol" in result.output + assert "matrix-python" in result.output + assert "merge-gate" in result.output + assert "pr-merge" in result.output + assert "report" in result.output + assert "slow-checks" in result.output def test_show_workflow(cli_runner): result = cli_runner.invoke(CLI, ["show", "checks"]) @@ -57,6 +64,7 @@ def test_show_workflow(cli_runner): "check-release-tag", "checks", "ci", + "dependency-update", "gh-pages", "matrix-all", "matrix-exasol", @@ -92,6 +100,7 @@ def test_all_workflows(cli_runner, tmp_path): "check-release-tag.yml", "checks.yml", "ci.yml", + "dependency-update.yml", "gh-pages.yml", "matrix-all.yml", "matrix-exasol.yml", From 67e8357c4484441debadc2cf5297ebdce964c207 Mon Sep 17 00:00:00 2001 From: Rimsha Masood Date: Mon, 13 Apr 2026 15:24:23 +0200 Subject: [PATCH 2/6] Add dependency-update workflow template and update tests --- .../github/workflows/dependency-update.yml | 73 ++++++++++++++----- test/integration/project-template/nox_test.py | 2 +- .../tools/workflow_integration_test.py | 1 + test/unit/nox/_workflow_test.py | 2 +- test/unit/tool_template_test.py | 3 + test/unit/util/workflows/templates_test.py | 1 + 6 files changed, 62 insertions(+), 20 deletions(-) diff --git a/exasol/toolbox/templates/github/workflows/dependency-update.yml b/exasol/toolbox/templates/github/workflows/dependency-update.yml index 45f5a145f2..45244b37eb 100644 --- a/exasol/toolbox/templates/github/workflows/dependency-update.yml +++ b/exasol/toolbox/templates/github/workflows/dependency-update.yml @@ -5,11 +5,12 @@ on: # Every Monday at 03:00 UTC - cron: "0 3 * * 1" workflow_dispatch: + workflow_call: jobs: dependency-update: name: Dependency Update - runs-on: "(( os_version ))" + runs-on: "ubuntu-24.04" permissions: contents: write pull-requests: write @@ -18,24 +19,33 @@ jobs: - name: Check out Repository id: check-out-repository uses: actions/checkout@v6 + with: + fetch-depth: 0 - name: Set up Python & Poetry Environment id: set-up-python-and-poetry-environment uses: exasol/python-toolbox/.github/actions/python-environment@v6 with: - python-version: "(( minimum_python_version ))" - poetry-version: "(( dependency_manager_version ))" + python-version: "3.10" + poetry-version: "2.3.0" - name: Audit Dependencies id: audit-dependencies - run: poetry run -- nox -s dependency:audit + shell: bash + run: | + poetry run -- nox -s dependency:audit | tee vulnerabilities.json + LENGTH=$(jq 'length' vulnerabilities.json) + echo "count=$LENGTH" >> "$GITHUB_OUTPUT" - name: Update Dependencies id: update-dependencies + if: steps.audit-dependencies.outputs.count > 0 run: poetry update - name: Check for poetry.lock Changes id: check-for-poetry-lock-changes + if: steps.audit-dependencies.outputs.count > 0 + shell: bash run: | if git diff --quiet -- poetry.lock; then echo "changed=false" >> "$GITHUB_OUTPUT" @@ -43,18 +53,45 @@ jobs: echo "changed=true" >> "$GITHUB_OUTPUT" fi - - name: Create Pull Request - id: create-pull-request + - name: Configure git + id: configure-git if: steps.check-for-poetry-lock-changes.outputs.changed == 'true' - uses: peter-evans/create-pull-request@v7 - with: - commit-message: "Update poetry.lock" - branch: dependency-update/poetry-lock - delete-branch: true - title: "Update poetry.lock" - body: | - Automated dependency update for `poetry.lock`. - - This PR was created by the dependency update workflow after running: - - `poetry run -- nox -s dependency:audit` - - `poetry update` + shell: bash + run: | + git config --global user.email "opensource@exasol.com" + git config --global user.name "Automatic Dependency Updater" + + - name: Create branch + id: create-branch + if: steps.check-for-poetry-lock-changes.outputs.changed == 'true' && github.ref == 'refs/heads/main' + shell: bash + run: | + branch_name="dependency-update/poetry-lock" + echo "Creating branch $branch_name" + git checkout -b "$branch_name" + + - name: Commit changes & push + id: publish-branch + if: steps.check-for-poetry-lock-changes.outputs.changed == 'true' && startsWith(github.ref, 'refs/heads/') + shell: bash + run: | + branch_name=$(git rev-parse --abbrev-ref HEAD) + git add poetry.lock + git commit --message "Update poetry.lock" + git push --set-upstream origin "$branch_name" + + - name: Create pull request + id: create-pr + if: steps.check-for-poetry-lock-changes.outputs.changed == 'true' && github.ref == 'refs/heads/main' + env: + GH_TOKEN: ${{ github.token }} + shell: bash + run: | + gh pr create \ + --base main \ + --title "Update poetry.lock" \ + --body "Automated dependency update for \`poetry.lock\`. + + This PR was created by the dependency update workflow after running: + - \`poetry run -- nox -s dependency:audit\` + - \`poetry update\`" diff --git a/test/integration/project-template/nox_test.py b/test/integration/project-template/nox_test.py index cc5767ad91..33c2397121 100644 --- a/test/integration/project-template/nox_test.py +++ b/test/integration/project-template/nox_test.py @@ -76,4 +76,4 @@ def test_install_github_workflows(self, poetry_path, run_command): assert output.returncode == 0 file_list = run_command(["ls", ".github/workflows"]).stdout.splitlines() - assert len(file_list) == 13 + assert len(file_list) == 14 diff --git a/test/integration/tools/workflow_integration_test.py b/test/integration/tools/workflow_integration_test.py index 21f5eb100b..4f8cbed7f1 100644 --- a/test/integration/tools/workflow_integration_test.py +++ b/test/integration/tools/workflow_integration_test.py @@ -49,6 +49,7 @@ def test_with_columns(cli_runner): assert "report" in result.output assert "slow-checks" in result.output + def test_show_workflow(cli_runner): result = cli_runner.invoke(CLI, ["show", "checks"]) diff --git a/test/unit/nox/_workflow_test.py b/test/unit/nox/_workflow_test.py index c4a048719c..a0654c93dd 100644 --- a/test/unit/nox/_workflow_test.py +++ b/test/unit/nox/_workflow_test.py @@ -35,7 +35,7 @@ class TestGenerateWorkflow: @staticmethod @pytest.mark.parametrize( "nox_session_runner_posargs, expected_count", - [(ALL, 13), *[(key, 1) for key in WORKFLOW_TEMPLATE_OPTIONS.keys()]], + [(ALL, 14), *[(key, 1) for key in WORKFLOW_TEMPLATE_OPTIONS.keys()]], indirect=["nox_session_runner_posargs"], ) def test_works_as_expected( diff --git a/test/unit/tool_template_test.py b/test/unit/tool_template_test.py index 74734877d3..d60c24a3d9 100644 --- a/test/unit/tool_template_test.py +++ b/test/unit/tool_template_test.py @@ -11,6 +11,7 @@ def test_retrieve_workflow_templates(): "check-release-tag": "check-release-tag.yml", "checks": "checks.yml", "ci": "ci.yml", + "dependency-update": "dependency-update.yml", "gh-pages": "gh-pages.yml", "matrix-all": "matrix-all.yml", "matrix-exasol": "matrix-exasol.yml", @@ -51,6 +52,7 @@ def test_retrieve_issue_templates(): "check-release-tag": "check-release-tag.yml", "checks": "checks.yml", "ci": "ci.yml", + "dependency-update": "dependency-update.yml", "gh-pages": "gh-pages.yml", "matrix-all": "matrix-all.yml", "matrix-exasol": "matrix-exasol.yml", @@ -106,6 +108,7 @@ def test_retrieve_templates(subpackage, expected): "check-release-tag.yml", "checks.yml", "ci.yml", + "dependency-update.yml", "gh-pages.yml", "matrix-all.yml", "matrix-exasol.yml", diff --git a/test/unit/util/workflows/templates_test.py b/test/unit/util/workflows/templates_test.py index 994777e261..241796bf39 100644 --- a/test/unit/util/workflows/templates_test.py +++ b/test/unit/util/workflows/templates_test.py @@ -11,6 +11,7 @@ def test_get_workflow_templates(project_config): "check-release-tag", "checks", "ci", + "dependency-update", "gh-pages", "matrix-all", "matrix-exasol", From c9c53e6e8d1ff57ce6ba59b54cb7d364b234addd Mon Sep 17 00:00:00 2001 From: Rimsha Masood Date: Tue, 14 Apr 2026 16:19:03 +0200 Subject: [PATCH 3/6] Apply review feedback for dependency update workflow --- .github/workflows/dependency-update.yml | 63 ++++++++++++++----- doc/github_actions/dependency_update.rst | 14 ----- doc/github_actions/github_actions.rst | 1 - .../features/github_workflows/index.rst | 14 +++++ .../github/workflows/dependency-update.yml | 19 +++--- 5 files changed, 69 insertions(+), 42 deletions(-) delete mode 100644 doc/github_actions/dependency_update.rst diff --git a/.github/workflows/dependency-update.yml b/.github/workflows/dependency-update.yml index 69b7a1dff1..a485ae9eb7 100644 --- a/.github/workflows/dependency-update.yml +++ b/.github/workflows/dependency-update.yml @@ -5,6 +5,7 @@ on: # Every Monday at 03:00 UTC - cron: "0 3 * * 1" workflow_dispatch: + workflow_call: jobs: dependency-update: @@ -18,6 +19,8 @@ jobs: - name: Check out Repository id: check-out-repository uses: actions/checkout@v6 + with: + fetch-depth: 0 - name: Set up Python & Poetry Environment id: set-up-python-and-poetry-environment @@ -28,14 +31,19 @@ jobs: - name: Audit Dependencies id: audit-dependencies - run: poetry run -- nox -s dependency:audit + run: | + poetry run -- nox -s dependency:audit | tee vulnerabilities.json + LENGTH=$(jq 'length' vulnerabilities.json) + echo "count=$LENGTH" >> "$GITHUB_OUTPUT" - name: Update Dependencies id: update-dependencies + if: steps.audit-dependencies.outputs.count > 0 run: poetry update - name: Check for poetry.lock Changes id: check-for-poetry-lock-changes + if: steps.audit-dependencies.outputs.count > 0 run: | if git diff --quiet -- poetry.lock; then echo "changed=false" >> "$GITHUB_OUTPUT" @@ -43,18 +51,43 @@ jobs: echo "changed=true" >> "$GITHUB_OUTPUT" fi - - name: Create Pull Request - id: create-pull-request + - name: Configure git + id: configure-git if: steps.check-for-poetry-lock-changes.outputs.changed == 'true' - uses: peter-evans/create-pull-request@v7 - with: - commit-message: "Update poetry.lock" - branch: dependency-update/poetry-lock - delete-branch: true - title: "Update poetry.lock" - body: |- - Automated dependency update for `poetry.lock`. - - This PR was created by the dependency update workflow after running: - - `poetry run -- nox -s dependency:audit` - - `poetry update` + run: | + git config --global user.email "opensource@exasol.com" + git config --global user.name "Automatic Dependency Updater" + + - name: Create branch + id: create-branch + if: steps.check-for-poetry-lock-changes.outputs.changed == 'true' && github.ref == 'refs/heads/main' + run: | + branch_name="dependency-update/$(date "+%Y%m%d%H%M%S")" + echo "Creating branch $branch_name" + git checkout -b "$branch_name" + + - name: Commit changes & push + id: publish-branch + if: steps.check-for-poetry-lock-changes.outputs.changed == 'true' && startsWith(github.ref, 'refs/heads/') + run: | + branch_name=$(git rev-parse --abbrev-ref HEAD) + git add poetry.lock + git commit --message "Update poetry.lock" + git push --set-upstream origin "$branch_name" + + - name: Create pull request + id: create-pr + if: steps.check-for-poetry-lock-changes.outputs.changed == 'true' && github.ref == 'refs/heads/main' + env: + GH_TOKEN: ${{ github.token }} + run: |- + BASE_BRANCH=$(gh repo view --json defaultBranchRef -q .defaultBranchRef.name) + + gh pr create \ + --base "$BASE_BRANCH" \ + --title "Update poetry.lock" \ + --body "Automated dependency update for \`poetry.lock\`. + + This PR was created by the dependency update workflow after running: + - \`poetry run -- nox -s dependency:audit\` + - \`poetry update\`" diff --git a/doc/github_actions/dependency_update.rst b/doc/github_actions/dependency_update.rst deleted file mode 100644 index 807ffeefdd..0000000000 --- a/doc/github_actions/dependency_update.rst +++ /dev/null @@ -1,14 +0,0 @@ -dependency-update -================= - -This workflow updates the project dependencies using Poetry. - -It first runs a dependency audit via ``nox -s dependency:audit`` and then updates the dependencies using ``poetry update``. -If the ``poetry.lock`` file changes, a pull request is created automatically. - -Example Usage -------------- - -.. code-block:: bash - - tbx workflow install dependency-update \ No newline at end of file diff --git a/doc/github_actions/github_actions.rst b/doc/github_actions/github_actions.rst index d9798ac602..e9139e8869 100644 --- a/doc/github_actions/github_actions.rst +++ b/doc/github_actions/github_actions.rst @@ -8,4 +8,3 @@ python_environment security_issues - dependency_update diff --git a/doc/user_guide/features/github_workflows/index.rst b/doc/user_guide/features/github_workflows/index.rst index 6b6e8f7fc6..b465c9610d 100644 --- a/doc/user_guide/features/github_workflows/index.rst +++ b/doc/user_guide/features/github_workflows/index.rst @@ -61,6 +61,9 @@ Workflows - Pull request and monthly - Executes the continuous integration suite by calling ``merge-gate.yml`` and ``report.yml``. See :ref:`ci_yml` for a graph of workflow calls. + * - ``dependency-update.yml`` + - Weekly and manual + - Audits project dependencies for known vulnerabilities, updates them with Poetry when needed, and creates a pull request if ``poetry.lock`` changes. * - ``gh-pages.yml`` - Workflow call - Builds the documentation and deploys it to GitHub Pages. @@ -99,6 +102,17 @@ Workflows CI Actions ---------- +Dependency Update +^^^^^^^^^^^^^^^^^ + +The ``dependency-update.yml`` workflow helps keep project dependencies up to date. + +It can be triggered manually and is also scheduled to run weekly. + +The workflow first audits dependencies for known vulnerabilities. If vulnerabilities +are detected, it updates the dependencies using Poetry. When ``poetry.lock`` changes, +it creates a pull request with the update. + .. _ci_yml: Pull Request diff --git a/exasol/toolbox/templates/github/workflows/dependency-update.yml b/exasol/toolbox/templates/github/workflows/dependency-update.yml index 45244b37eb..bd935cf4ba 100644 --- a/exasol/toolbox/templates/github/workflows/dependency-update.yml +++ b/exasol/toolbox/templates/github/workflows/dependency-update.yml @@ -5,12 +5,11 @@ on: # Every Monday at 03:00 UTC - cron: "0 3 * * 1" workflow_dispatch: - workflow_call: jobs: dependency-update: name: Dependency Update - runs-on: "ubuntu-24.04" + runs-on: "(( os_version ))" permissions: contents: write pull-requests: write @@ -26,12 +25,11 @@ jobs: id: set-up-python-and-poetry-environment uses: exasol/python-toolbox/.github/actions/python-environment@v6 with: - python-version: "3.10" - poetry-version: "2.3.0" + python-version: "(( minimum_python_version ))" + poetry-version: "(( dependency_manager_version ))" - name: Audit Dependencies id: audit-dependencies - shell: bash run: | poetry run -- nox -s dependency:audit | tee vulnerabilities.json LENGTH=$(jq 'length' vulnerabilities.json) @@ -45,7 +43,6 @@ jobs: - name: Check for poetry.lock Changes id: check-for-poetry-lock-changes if: steps.audit-dependencies.outputs.count > 0 - shell: bash run: | if git diff --quiet -- poetry.lock; then echo "changed=false" >> "$GITHUB_OUTPUT" @@ -56,7 +53,6 @@ jobs: - name: Configure git id: configure-git if: steps.check-for-poetry-lock-changes.outputs.changed == 'true' - shell: bash run: | git config --global user.email "opensource@exasol.com" git config --global user.name "Automatic Dependency Updater" @@ -64,16 +60,14 @@ jobs: - name: Create branch id: create-branch if: steps.check-for-poetry-lock-changes.outputs.changed == 'true' && github.ref == 'refs/heads/main' - shell: bash run: | - branch_name="dependency-update/poetry-lock" + branch_name="dependency-update/$(date "+%Y%m%d%H%M%S")" echo "Creating branch $branch_name" git checkout -b "$branch_name" - name: Commit changes & push id: publish-branch if: steps.check-for-poetry-lock-changes.outputs.changed == 'true' && startsWith(github.ref, 'refs/heads/') - shell: bash run: | branch_name=$(git rev-parse --abbrev-ref HEAD) git add poetry.lock @@ -85,10 +79,11 @@ jobs: if: steps.check-for-poetry-lock-changes.outputs.changed == 'true' && github.ref == 'refs/heads/main' env: GH_TOKEN: ${{ github.token }} - shell: bash run: | + BASE_BRANCH=$(gh repo view --json defaultBranchRef -q .defaultBranchRef.name) + gh pr create \ - --base main \ + --base "$BASE_BRANCH" \ --title "Update poetry.lock" \ --body "Automated dependency update for \`poetry.lock\`. From cea77fd6af2bb0927d9bc1ce3bb08f6c70fe189d Mon Sep 17 00:00:00 2001 From: Rimsha Masood Date: Mon, 20 Apr 2026 11:49:11 +0200 Subject: [PATCH 4/6] Improve dependency update workflow, tests, and docs --- .../features/github_workflows/index.rst | 8 ++--- .../github/workflows/dependency-update.yml | 18 +++++++--- .../tools/workflow_integration_test.py | 36 +++++++++++-------- 3 files changed, 39 insertions(+), 23 deletions(-) diff --git a/doc/user_guide/features/github_workflows/index.rst b/doc/user_guide/features/github_workflows/index.rst index aaa8431b07..95ecb3612b 100644 --- a/doc/user_guide/features/github_workflows/index.rst +++ b/doc/user_guide/features/github_workflows/index.rst @@ -63,7 +63,7 @@ Workflows ``report.yml``. See :ref:`ci_yml` for a graph of workflow calls. * - ``dependency-update.yml`` - Weekly and manual - - Audits project dependencies for known vulnerabilities, updates them with Poetry when needed, and creates a pull request if ``poetry.lock`` changes. + - Audits project dependencies for known vulnerabilities, updates them with Poetry when needed, and creates a pull request if the ``poetry.lock`` was changed. * - ``gh-pages.yml`` - Workflow call - Builds the documentation and deploys it to GitHub Pages. @@ -105,13 +105,13 @@ CI Actions Dependency Update ^^^^^^^^^^^^^^^^^ -The ``dependency-update.yml`` workflow helps keep project dependencies up to date. +The ``dependency-update.yml`` workflow is used to resolve vulnerabilities by updating our project dependencies. It can be triggered manually and is also scheduled to run weekly. The workflow first audits dependencies for known vulnerabilities. If vulnerabilities -are detected, it updates the dependencies using Poetry. When ``poetry.lock`` changes, -it creates a pull request with the update. +are detected, it updates the dependencies using Poetry. When the ``poetry.lock`` is changed, +then it creates a pull request with the update. .. _ci_yml: diff --git a/exasol/toolbox/templates/github/workflows/dependency-update.yml b/exasol/toolbox/templates/github/workflows/dependency-update.yml index bd935cf4ba..7acca3b228 100644 --- a/exasol/toolbox/templates/github/workflows/dependency-update.yml +++ b/exasol/toolbox/templates/github/workflows/dependency-update.yml @@ -21,6 +21,14 @@ jobs: with: fetch-depth: 0 + - name: Fail if not running on the default branch + id: check-branch + if: github.ref != format('refs/heads/{0}', github.event.repository.default_branch) + uses: actions/github-script@v8 + with: + script: | + core.setFailed('Not running on the default branch. github.ref is ${{ github.ref }}') + - name: Set up Python & Poetry Environment id: set-up-python-and-poetry-environment uses: exasol/python-toolbox/.github/actions/python-environment@v6 @@ -59,15 +67,15 @@ jobs: - name: Create branch id: create-branch - if: steps.check-for-poetry-lock-changes.outputs.changed == 'true' && github.ref == 'refs/heads/main' + if: steps.check-for-poetry-lock-changes.outputs.changed == 'true' run: | branch_name="dependency-update/$(date "+%Y%m%d%H%M%S")" echo "Creating branch $branch_name" - git checkout -b "$branch_name" + git switch -C "$branch_name" - name: Commit changes & push id: publish-branch - if: steps.check-for-poetry-lock-changes.outputs.changed == 'true' && startsWith(github.ref, 'refs/heads/') + if: steps.check-for-poetry-lock-changes.outputs.changed == 'true' run: | branch_name=$(git rev-parse --abbrev-ref HEAD) git add poetry.lock @@ -76,7 +84,7 @@ jobs: - name: Create pull request id: create-pr - if: steps.check-for-poetry-lock-changes.outputs.changed == 'true' && github.ref == 'refs/heads/main' + if: steps.check-for-poetry-lock-changes.outputs.changed == 'true' env: GH_TOKEN: ${{ github.token }} run: | @@ -84,7 +92,7 @@ jobs: gh pr create \ --base "$BASE_BRANCH" \ - --title "Update poetry.lock" \ + --title "Update dependencies to fix vulnerabilities ($(date '+%Y-%m-%d'))" \ --body "Automated dependency update for \`poetry.lock\`. This PR was created by the dependency update workflow after running: diff --git a/test/integration/tools/workflow_integration_test.py b/test/integration/tools/workflow_integration_test.py index 4f8cbed7f1..cc5707e366 100644 --- a/test/integration/tools/workflow_integration_test.py +++ b/test/integration/tools/workflow_integration_test.py @@ -34,20 +34,28 @@ def test_with_columns(cli_runner): result = cli_runner.invoke(CLI, ["list", "--columns"]) assert result.exit_code == 0 - assert "build-and-publish" in result.output - assert "cd" in result.output - assert "check-release-tag" in result.output - assert "checks" in result.output - assert "ci" in result.output - assert "dependency-update" in result.output - assert "gh-pages" in result.output - assert "matrix-all" in result.output - assert "matrix-exasol" in result.output - assert "matrix-python" in result.output - assert "merge-gate" in result.output - assert "pr-merge" in result.output - assert "report" in result.output - assert "slow-checks" in result.output + + expected_substrings = """ + build-and-publish + cd + check-release-tag + checks + ci + dependency-update + gh-pages + matrix-all + matrix-exasol + matrix-python + merge-gate + pr-merge + report + slow-checks + """ + + actual = set(result.output.split()) + expected = set(expected_substrings.split()) + + assert expected.issubset(actual) def test_show_workflow(cli_runner): From 49145b9451436b6cb5a347db59e0be911627cee2 Mon Sep 17 00:00:00 2001 From: Ariel Schulz Date: Wed, 29 Apr 2026 13:06:14 +0200 Subject: [PATCH 5/6] Fix release:prepare test --- exasol/toolbox/util/dependencies/audit.py | 2 +- test/unit/util/dependencies/audit_test.py | 8 +++++++- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/exasol/toolbox/util/dependencies/audit.py b/exasol/toolbox/util/dependencies/audit.py index 7a18cc3e7c..5d31b3bf98 100644 --- a/exasol/toolbox/util/dependencies/audit.py +++ b/exasol/toolbox/util/dependencies/audit.py @@ -260,7 +260,7 @@ def load_from_pip_audit(cls, working_directory: Path) -> Vulnerabilities: vulnerabilities = [] for entry in audit_dict["dependencies"]: - for vuln_entry in entry["vulns"]: + for vuln_entry in entry.get("vulns", []): vulnerabilities.append( Vulnerability.from_audit_entry( package_name=entry["name"], diff --git a/test/unit/util/dependencies/audit_test.py b/test/unit/util/dependencies/audit_test.py index cc414b0d23..d34bc88f1c 100644 --- a/test/unit/util/dependencies/audit_test.py +++ b/test/unit/util/dependencies/audit_test.py @@ -240,7 +240,13 @@ class TestVulnerabilities: @staticmethod def test_with_no_vulnerabilities(): pip_audit_dict = { - "dependencies": [{"name": "alabaster", "version": "0.7.16", "vulns": []}] + "dependencies": [ + { + "name": "exasol-toolbox", + "skip_reason": "Dependency not found on PyPI and could not be audited: exasol-toolbox (7.0.0)", + }, + {"name": "alabaster", "version": "0.7.16", "vulns": []}, + ] } pip_audit_json = json.dumps(pip_audit_dict) From bf382434cfe950a74dd3329dbd6655a8801c7034 Mon Sep 17 00:00:00 2001 From: Ariel Schulz Date: Wed, 29 Apr 2026 13:22:02 +0200 Subject: [PATCH 6/6] Update PTB workflows to 7.0.0 --- .github/workflows/build-and-publish.yml | 2 +- .github/workflows/check-release-tag.yml | 2 +- .github/workflows/checks.yml | 16 ++++++++-------- .github/workflows/dependency-update.yml | 19 +++++++++++++------ .github/workflows/gh-pages.yml | 2 +- .github/workflows/matrix-all.yml | 2 +- .github/workflows/matrix-exasol.yml | 2 +- .github/workflows/matrix-python.yml | 2 +- .github/workflows/report.yml | 2 +- .github/workflows/slow-checks.yml | 2 +- 10 files changed, 29 insertions(+), 22 deletions(-) diff --git a/.github/workflows/build-and-publish.yml b/.github/workflows/build-and-publish.yml index 9ba56f8d6f..867d79c9b6 100644 --- a/.github/workflows/build-and-publish.yml +++ b/.github/workflows/build-and-publish.yml @@ -19,7 +19,7 @@ jobs: - name: Set up Python & Poetry Environment id: set-up-python-and-poetry-environment - uses: exasol/python-toolbox/.github/actions/python-environment@v6 + uses: exasol/python-toolbox/.github/actions/python-environment@v7 with: python-version: "3.10" poetry-version: "2.3.0" diff --git a/.github/workflows/check-release-tag.yml b/.github/workflows/check-release-tag.yml index 5423c11a4f..f099fa94ee 100644 --- a/.github/workflows/check-release-tag.yml +++ b/.github/workflows/check-release-tag.yml @@ -17,7 +17,7 @@ jobs: - name: Set up Python & Poetry Environment id: set-up-python-and-poetry-environment - uses: exasol/python-toolbox/.github/actions/python-environment@v6 + uses: exasol/python-toolbox/.github/actions/python-environment@v7 with: python-version: "3.10" poetry-version: "2.3.0" diff --git a/.github/workflows/checks.yml b/.github/workflows/checks.yml index a258fef3ac..064a7fca55 100644 --- a/.github/workflows/checks.yml +++ b/.github/workflows/checks.yml @@ -16,7 +16,7 @@ jobs: - name: Set up Python & Poetry Environment id: set-up-python-and-poetry-environment - uses: exasol/python-toolbox/.github/actions/python-environment@v6 + uses: exasol/python-toolbox/.github/actions/python-environment@v7 with: python-version: "3.10" poetry-version: "2.3.0" @@ -42,7 +42,7 @@ jobs: - name: Set up Python & Poetry Environment id: set-up-python-and-poetry-environment - uses: exasol/python-toolbox/.github/actions/python-environment@v6 + uses: exasol/python-toolbox/.github/actions/python-environment@v7 with: python-version: "3.10" poetry-version: "2.3.0" @@ -67,7 +67,7 @@ jobs: - name: Set up Python & Poetry Environment id: set-up-python-and-poetry-environment - uses: exasol/python-toolbox/.github/actions/python-environment@v6 + uses: exasol/python-toolbox/.github/actions/python-environment@v7 with: python-version: ${{ matrix.python-versions }} poetry-version: "2.3.0" @@ -102,7 +102,7 @@ jobs: - name: Set up Python & Poetry Environment id: set-up-python-and-poetry-environment - uses: exasol/python-toolbox/.github/actions/python-environment@v6 + uses: exasol/python-toolbox/.github/actions/python-environment@v7 with: python-version: ${{ matrix.python-versions }} poetry-version: "2.3.0" @@ -128,7 +128,7 @@ jobs: - name: Set up Python & Poetry Environment id: set-up-python-and-poetry-environment - uses: exasol/python-toolbox/.github/actions/python-environment@v6 + uses: exasol/python-toolbox/.github/actions/python-environment@v7 with: python-version: ${{ matrix.python-versions }} poetry-version: "2.3.0" @@ -157,7 +157,7 @@ jobs: - name: Set up Python & Poetry Environment id: set-up-python-and-poetry-environment - uses: exasol/python-toolbox/.github/actions/python-environment@v6 + uses: exasol/python-toolbox/.github/actions/python-environment@v7 with: python-version: "3.10" poetry-version: "2.3.0" @@ -179,7 +179,7 @@ jobs: - name: Set up Python & Poetry Environment id: set-up-python-and-poetry-environment - uses: exasol/python-toolbox/.github/actions/python-environment@v6 + uses: exasol/python-toolbox/.github/actions/python-environment@v7 with: python-version: "3.10" poetry-version: "2.3.0" @@ -227,7 +227,7 @@ jobs: fetch-depth: 0 - name: Set up Python & Poetry Environment id: set-up-python-and-poetry-environment - uses: exasol/python-toolbox/.github/actions/python-environment@v6 + uses: exasol/python-toolbox/.github/actions/python-environment@v7 with: python-version: ${{ matrix.python-versions }} poetry-version: "2.3.0" diff --git a/.github/workflows/dependency-update.yml b/.github/workflows/dependency-update.yml index a485ae9eb7..b2b4fb940e 100644 --- a/.github/workflows/dependency-update.yml +++ b/.github/workflows/dependency-update.yml @@ -5,7 +5,6 @@ on: # Every Monday at 03:00 UTC - cron: "0 3 * * 1" workflow_dispatch: - workflow_call: jobs: dependency-update: @@ -22,6 +21,14 @@ jobs: with: fetch-depth: 0 + - name: Fail if not running on the default branch + id: check-branch + if: github.ref != format('refs/heads/{0}', github.event.repository.default_branch) + uses: actions/github-script@v8 + with: + script: | + core.setFailed('Not running on the default branch. github.ref is ${{ github.ref }}') + - name: Set up Python & Poetry Environment id: set-up-python-and-poetry-environment uses: exasol/python-toolbox/.github/actions/python-environment@v6 @@ -60,15 +67,15 @@ jobs: - name: Create branch id: create-branch - if: steps.check-for-poetry-lock-changes.outputs.changed == 'true' && github.ref == 'refs/heads/main' + if: steps.check-for-poetry-lock-changes.outputs.changed == 'true' run: | branch_name="dependency-update/$(date "+%Y%m%d%H%M%S")" echo "Creating branch $branch_name" - git checkout -b "$branch_name" + git switch -C "$branch_name" - name: Commit changes & push id: publish-branch - if: steps.check-for-poetry-lock-changes.outputs.changed == 'true' && startsWith(github.ref, 'refs/heads/') + if: steps.check-for-poetry-lock-changes.outputs.changed == 'true' run: | branch_name=$(git rev-parse --abbrev-ref HEAD) git add poetry.lock @@ -77,7 +84,7 @@ jobs: - name: Create pull request id: create-pr - if: steps.check-for-poetry-lock-changes.outputs.changed == 'true' && github.ref == 'refs/heads/main' + if: steps.check-for-poetry-lock-changes.outputs.changed == 'true' env: GH_TOKEN: ${{ github.token }} run: |- @@ -85,7 +92,7 @@ jobs: gh pr create \ --base "$BASE_BRANCH" \ - --title "Update poetry.lock" \ + --title "Update dependencies to fix vulnerabilities ($(date '+%Y-%m-%d'))" \ --body "Automated dependency update for \`poetry.lock\`. This PR was created by the dependency update workflow after running: diff --git a/.github/workflows/gh-pages.yml b/.github/workflows/gh-pages.yml index 147d0453a8..73c74dc99f 100644 --- a/.github/workflows/gh-pages.yml +++ b/.github/workflows/gh-pages.yml @@ -19,7 +19,7 @@ jobs: - name: Set up Python & Poetry Environment id: set-up-python-and-poetry-environment - uses: exasol/python-toolbox/.github/actions/python-environment@v6 + uses: exasol/python-toolbox/.github/actions/python-environment@v7 with: python-version: "3.10" poetry-version: "2.3.0" diff --git a/.github/workflows/matrix-all.yml b/.github/workflows/matrix-all.yml index 69a5aa4b4f..558f5ef672 100644 --- a/.github/workflows/matrix-all.yml +++ b/.github/workflows/matrix-all.yml @@ -19,7 +19,7 @@ jobs: - name: Set up Python & Poetry Environment id: set-up-python-and-poetry-environment - uses: exasol/python-toolbox/.github/actions/python-environment@v6 + uses: exasol/python-toolbox/.github/actions/python-environment@v7 with: python-version: "3.10" poetry-version: "2.3.0" diff --git a/.github/workflows/matrix-exasol.yml b/.github/workflows/matrix-exasol.yml index 44b5cfd985..a64b88c3f6 100644 --- a/.github/workflows/matrix-exasol.yml +++ b/.github/workflows/matrix-exasol.yml @@ -19,7 +19,7 @@ jobs: - name: Set up Python & Poetry Environment id: set-up-python-and-poetry-environment - uses: exasol/python-toolbox/.github/actions/python-environment@v6 + uses: exasol/python-toolbox/.github/actions/python-environment@v7 with: python-version: "3.10" poetry-version: "2.3.0" diff --git a/.github/workflows/matrix-python.yml b/.github/workflows/matrix-python.yml index 328799b6c9..e68fd4d1e7 100644 --- a/.github/workflows/matrix-python.yml +++ b/.github/workflows/matrix-python.yml @@ -19,7 +19,7 @@ jobs: - name: Set up Python & Poetry Environment id: set-up-python-and-poetry-environment - uses: exasol/python-toolbox/.github/actions/python-environment@v6 + uses: exasol/python-toolbox/.github/actions/python-environment@v7 with: python-version: "3.10" poetry-version: "2.3.0" diff --git a/.github/workflows/report.yml b/.github/workflows/report.yml index 8790ca1ab2..7612aeba7e 100644 --- a/.github/workflows/report.yml +++ b/.github/workflows/report.yml @@ -20,7 +20,7 @@ jobs: - name: Set up Python & Poetry Environment id: set-up-python-and-poetry-environment - uses: exasol/python-toolbox/.github/actions/python-environment@v6 + uses: exasol/python-toolbox/.github/actions/python-environment@v7 with: python-version: "3.10" poetry-version: "2.3.0" diff --git a/.github/workflows/slow-checks.yml b/.github/workflows/slow-checks.yml index 8f1b55e42e..46ed19863c 100644 --- a/.github/workflows/slow-checks.yml +++ b/.github/workflows/slow-checks.yml @@ -29,7 +29,7 @@ jobs: - name: Set up Python & Poetry Environment id: set-up-python-and-poetry-environment - uses: exasol/python-toolbox/.github/actions/python-environment@v6 + uses: exasol/python-toolbox/.github/actions/python-environment@v7 with: python-version: ${{ matrix.python-version }} poetry-version: "2.3.0"