From fdf9333255b50435890322559603c7bda4ed5771 Mon Sep 17 00:00:00 2001 From: Rimsha Masood Date: Thu, 19 Mar 2026 14:53:36 +0100 Subject: [PATCH 01/16] added dependency-update workflow template --- .github/workflows/dependency-update.yml | 60 +++++++++++++++++++ doc/github_actions/dependency_update.rst | 14 +++++ doc/github_actions/github_actions.rst | 1 + .../github/workflows/dependency-update.yml | 60 +++++++++++++++++++ .../tools/workflow_integration_test.py | 25 +++++--- 5 files changed, 152 insertions(+), 8 deletions(-) create mode 100644 .github/workflows/dependency-update.yml create mode 100644 doc/github_actions/dependency_update.rst create mode 100644 exasol/toolbox/templates/github/workflows/dependency-update.yml diff --git a/.github/workflows/dependency-update.yml b/.github/workflows/dependency-update.yml new file mode 100644 index 0000000000..69b7a1dff1 --- /dev/null +++ b/.github/workflows/dependency-update.yml @@ -0,0 +1,60 @@ +name: Dependency Update + +on: + schedule: + # Every Monday at 03:00 UTC + - cron: "0 3 * * 1" + workflow_dispatch: + +jobs: + dependency-update: + name: Dependency Update + runs-on: "ubuntu-24.04" + permissions: + contents: write + pull-requests: write + + steps: + - name: Check out Repository + id: check-out-repository + uses: actions/checkout@v6 + + - name: Set up Python & Poetry Environment + id: set-up-python-and-poetry-environment + uses: exasol/python-toolbox/.github/actions/python-environment@v6 + with: + python-version: "3.10" + poetry-version: "2.3.0" + + - name: Audit Dependencies + id: audit-dependencies + run: poetry run -- nox -s dependency:audit + + - name: Update Dependencies + id: update-dependencies + run: poetry update + + - name: Check for poetry.lock Changes + id: check-for-poetry-lock-changes + run: | + if git diff --quiet -- poetry.lock; then + echo "changed=false" >> "$GITHUB_OUTPUT" + else + echo "changed=true" >> "$GITHUB_OUTPUT" + fi + + - name: Create Pull Request + id: create-pull-request + if: steps.check-for-poetry-lock-changes.outputs.changed == 'true' + uses: peter-evans/create-pull-request@v7 + with: + commit-message: "Update poetry.lock" + branch: dependency-update/poetry-lock + delete-branch: true + title: "Update poetry.lock" + body: |- + Automated dependency update for `poetry.lock`. + + This PR was created by the dependency update workflow after running: + - `poetry run -- nox -s dependency:audit` + - `poetry update` diff --git a/doc/github_actions/dependency_update.rst b/doc/github_actions/dependency_update.rst new file mode 100644 index 0000000000..807ffeefdd --- /dev/null +++ b/doc/github_actions/dependency_update.rst @@ -0,0 +1,14 @@ +dependency-update +================= + +This workflow updates the project dependencies using Poetry. + +It first runs a dependency audit via ``nox -s dependency:audit`` and then updates the dependencies using ``poetry update``. +If the ``poetry.lock`` file changes, a pull request is created automatically. + +Example Usage +------------- + +.. code-block:: bash + + tbx workflow install dependency-update \ No newline at end of file diff --git a/doc/github_actions/github_actions.rst b/doc/github_actions/github_actions.rst index e9139e8869..d9798ac602 100644 --- a/doc/github_actions/github_actions.rst +++ b/doc/github_actions/github_actions.rst @@ -8,3 +8,4 @@ python_environment security_issues + dependency_update diff --git a/exasol/toolbox/templates/github/workflows/dependency-update.yml b/exasol/toolbox/templates/github/workflows/dependency-update.yml new file mode 100644 index 0000000000..45f5a145f2 --- /dev/null +++ b/exasol/toolbox/templates/github/workflows/dependency-update.yml @@ -0,0 +1,60 @@ +name: Dependency Update + +on: + schedule: + # Every Monday at 03:00 UTC + - cron: "0 3 * * 1" + workflow_dispatch: + +jobs: + dependency-update: + name: Dependency Update + runs-on: "(( os_version ))" + permissions: + contents: write + pull-requests: write + + steps: + - name: Check out Repository + id: check-out-repository + uses: actions/checkout@v6 + + - name: Set up Python & Poetry Environment + id: set-up-python-and-poetry-environment + uses: exasol/python-toolbox/.github/actions/python-environment@v6 + with: + python-version: "(( minimum_python_version ))" + poetry-version: "(( dependency_manager_version ))" + + - name: Audit Dependencies + id: audit-dependencies + run: poetry run -- nox -s dependency:audit + + - name: Update Dependencies + id: update-dependencies + run: poetry update + + - name: Check for poetry.lock Changes + id: check-for-poetry-lock-changes + run: | + if git diff --quiet -- poetry.lock; then + echo "changed=false" >> "$GITHUB_OUTPUT" + else + echo "changed=true" >> "$GITHUB_OUTPUT" + fi + + - name: Create Pull Request + id: create-pull-request + if: steps.check-for-poetry-lock-changes.outputs.changed == 'true' + uses: peter-evans/create-pull-request@v7 + with: + commit-message: "Update poetry.lock" + branch: dependency-update/poetry-lock + delete-branch: true + title: "Update poetry.lock" + body: | + Automated dependency update for `poetry.lock`. + + This PR was created by the dependency update workflow after running: + - `poetry run -- nox -s dependency:audit` + - `poetry update` diff --git a/test/integration/tools/workflow_integration_test.py b/test/integration/tools/workflow_integration_test.py index cf85d01208..21f5eb100b 100644 --- a/test/integration/tools/workflow_integration_test.py +++ b/test/integration/tools/workflow_integration_test.py @@ -18,6 +18,7 @@ def test_with_default(cli_runner): "check-release-tag\n" "checks\n" "ci\n" + "dependency-update\n" "gh-pages\n" "matrix-all\n" "matrix-exasol\n" @@ -33,14 +34,20 @@ def test_with_columns(cli_runner): result = cli_runner.invoke(CLI, ["list", "--columns"]) assert result.exit_code == 0 - assert result.output == ( - "build-and-publish cd check-release-tag checks ci " - "gh-pages\n" - "matrix-all matrix-exasol matrix-python merge-gate pr-merge " - "report \n" - "slow-checks \n" - ) - + assert "build-and-publish" in result.output + assert "cd" in result.output + assert "check-release-tag" in result.output + assert "checks" in result.output + assert "ci" in result.output + assert "dependency-update" in result.output + assert "gh-pages" in result.output + assert "matrix-all" in result.output + assert "matrix-exasol" in result.output + assert "matrix-python" in result.output + assert "merge-gate" in result.output + assert "pr-merge" in result.output + assert "report" in result.output + assert "slow-checks" in result.output def test_show_workflow(cli_runner): result = cli_runner.invoke(CLI, ["show", "checks"]) @@ -57,6 +64,7 @@ def test_show_workflow(cli_runner): "check-release-tag", "checks", "ci", + "dependency-update", "gh-pages", "matrix-all", "matrix-exasol", @@ -92,6 +100,7 @@ def test_all_workflows(cli_runner, tmp_path): "check-release-tag.yml", "checks.yml", "ci.yml", + "dependency-update.yml", "gh-pages.yml", "matrix-all.yml", "matrix-exasol.yml", From 67e8357c4484441debadc2cf5297ebdce964c207 Mon Sep 17 00:00:00 2001 From: Rimsha Masood Date: Mon, 13 Apr 2026 15:24:23 +0200 Subject: [PATCH 02/16] Add dependency-update workflow template and update tests --- .../github/workflows/dependency-update.yml | 73 ++++++++++++++----- test/integration/project-template/nox_test.py | 2 +- .../tools/workflow_integration_test.py | 1 + test/unit/nox/_workflow_test.py | 2 +- test/unit/tool_template_test.py | 3 + test/unit/util/workflows/templates_test.py | 1 + 6 files changed, 62 insertions(+), 20 deletions(-) diff --git a/exasol/toolbox/templates/github/workflows/dependency-update.yml b/exasol/toolbox/templates/github/workflows/dependency-update.yml index 45f5a145f2..45244b37eb 100644 --- a/exasol/toolbox/templates/github/workflows/dependency-update.yml +++ b/exasol/toolbox/templates/github/workflows/dependency-update.yml @@ -5,11 +5,12 @@ on: # Every Monday at 03:00 UTC - cron: "0 3 * * 1" workflow_dispatch: + workflow_call: jobs: dependency-update: name: Dependency Update - runs-on: "(( os_version ))" + runs-on: "ubuntu-24.04" permissions: contents: write pull-requests: write @@ -18,24 +19,33 @@ jobs: - name: Check out Repository id: check-out-repository uses: actions/checkout@v6 + with: + fetch-depth: 0 - name: Set up Python & Poetry Environment id: set-up-python-and-poetry-environment uses: exasol/python-toolbox/.github/actions/python-environment@v6 with: - python-version: "(( minimum_python_version ))" - poetry-version: "(( dependency_manager_version ))" + python-version: "3.10" + poetry-version: "2.3.0" - name: Audit Dependencies id: audit-dependencies - run: poetry run -- nox -s dependency:audit + shell: bash + run: | + poetry run -- nox -s dependency:audit | tee vulnerabilities.json + LENGTH=$(jq 'length' vulnerabilities.json) + echo "count=$LENGTH" >> "$GITHUB_OUTPUT" - name: Update Dependencies id: update-dependencies + if: steps.audit-dependencies.outputs.count > 0 run: poetry update - name: Check for poetry.lock Changes id: check-for-poetry-lock-changes + if: steps.audit-dependencies.outputs.count > 0 + shell: bash run: | if git diff --quiet -- poetry.lock; then echo "changed=false" >> "$GITHUB_OUTPUT" @@ -43,18 +53,45 @@ jobs: echo "changed=true" >> "$GITHUB_OUTPUT" fi - - name: Create Pull Request - id: create-pull-request + - name: Configure git + id: configure-git if: steps.check-for-poetry-lock-changes.outputs.changed == 'true' - uses: peter-evans/create-pull-request@v7 - with: - commit-message: "Update poetry.lock" - branch: dependency-update/poetry-lock - delete-branch: true - title: "Update poetry.lock" - body: | - Automated dependency update for `poetry.lock`. - - This PR was created by the dependency update workflow after running: - - `poetry run -- nox -s dependency:audit` - - `poetry update` + shell: bash + run: | + git config --global user.email "opensource@exasol.com" + git config --global user.name "Automatic Dependency Updater" + + - name: Create branch + id: create-branch + if: steps.check-for-poetry-lock-changes.outputs.changed == 'true' && github.ref == 'refs/heads/main' + shell: bash + run: | + branch_name="dependency-update/poetry-lock" + echo "Creating branch $branch_name" + git checkout -b "$branch_name" + + - name: Commit changes & push + id: publish-branch + if: steps.check-for-poetry-lock-changes.outputs.changed == 'true' && startsWith(github.ref, 'refs/heads/') + shell: bash + run: | + branch_name=$(git rev-parse --abbrev-ref HEAD) + git add poetry.lock + git commit --message "Update poetry.lock" + git push --set-upstream origin "$branch_name" + + - name: Create pull request + id: create-pr + if: steps.check-for-poetry-lock-changes.outputs.changed == 'true' && github.ref == 'refs/heads/main' + env: + GH_TOKEN: ${{ github.token }} + shell: bash + run: | + gh pr create \ + --base main \ + --title "Update poetry.lock" \ + --body "Automated dependency update for \`poetry.lock\`. + + This PR was created by the dependency update workflow after running: + - \`poetry run -- nox -s dependency:audit\` + - \`poetry update\`" diff --git a/test/integration/project-template/nox_test.py b/test/integration/project-template/nox_test.py index cc5767ad91..33c2397121 100644 --- a/test/integration/project-template/nox_test.py +++ b/test/integration/project-template/nox_test.py @@ -76,4 +76,4 @@ def test_install_github_workflows(self, poetry_path, run_command): assert output.returncode == 0 file_list = run_command(["ls", ".github/workflows"]).stdout.splitlines() - assert len(file_list) == 13 + assert len(file_list) == 14 diff --git a/test/integration/tools/workflow_integration_test.py b/test/integration/tools/workflow_integration_test.py index 21f5eb100b..4f8cbed7f1 100644 --- a/test/integration/tools/workflow_integration_test.py +++ b/test/integration/tools/workflow_integration_test.py @@ -49,6 +49,7 @@ def test_with_columns(cli_runner): assert "report" in result.output assert "slow-checks" in result.output + def test_show_workflow(cli_runner): result = cli_runner.invoke(CLI, ["show", "checks"]) diff --git a/test/unit/nox/_workflow_test.py b/test/unit/nox/_workflow_test.py index c4a048719c..a0654c93dd 100644 --- a/test/unit/nox/_workflow_test.py +++ b/test/unit/nox/_workflow_test.py @@ -35,7 +35,7 @@ class TestGenerateWorkflow: @staticmethod @pytest.mark.parametrize( "nox_session_runner_posargs, expected_count", - [(ALL, 13), *[(key, 1) for key in WORKFLOW_TEMPLATE_OPTIONS.keys()]], + [(ALL, 14), *[(key, 1) for key in WORKFLOW_TEMPLATE_OPTIONS.keys()]], indirect=["nox_session_runner_posargs"], ) def test_works_as_expected( diff --git a/test/unit/tool_template_test.py b/test/unit/tool_template_test.py index 74734877d3..d60c24a3d9 100644 --- a/test/unit/tool_template_test.py +++ b/test/unit/tool_template_test.py @@ -11,6 +11,7 @@ def test_retrieve_workflow_templates(): "check-release-tag": "check-release-tag.yml", "checks": "checks.yml", "ci": "ci.yml", + "dependency-update": "dependency-update.yml", "gh-pages": "gh-pages.yml", "matrix-all": "matrix-all.yml", "matrix-exasol": "matrix-exasol.yml", @@ -51,6 +52,7 @@ def test_retrieve_issue_templates(): "check-release-tag": "check-release-tag.yml", "checks": "checks.yml", "ci": "ci.yml", + "dependency-update": "dependency-update.yml", "gh-pages": "gh-pages.yml", "matrix-all": "matrix-all.yml", "matrix-exasol": "matrix-exasol.yml", @@ -106,6 +108,7 @@ def test_retrieve_templates(subpackage, expected): "check-release-tag.yml", "checks.yml", "ci.yml", + "dependency-update.yml", "gh-pages.yml", "matrix-all.yml", "matrix-exasol.yml", diff --git a/test/unit/util/workflows/templates_test.py b/test/unit/util/workflows/templates_test.py index 994777e261..241796bf39 100644 --- a/test/unit/util/workflows/templates_test.py +++ b/test/unit/util/workflows/templates_test.py @@ -11,6 +11,7 @@ def test_get_workflow_templates(project_config): "check-release-tag", "checks", "ci", + "dependency-update", "gh-pages", "matrix-all", "matrix-exasol", From c9c53e6e8d1ff57ce6ba59b54cb7d364b234addd Mon Sep 17 00:00:00 2001 From: Rimsha Masood Date: Tue, 14 Apr 2026 16:19:03 +0200 Subject: [PATCH 03/16] Apply review feedback for dependency update workflow --- .github/workflows/dependency-update.yml | 63 ++++++++++++++----- doc/github_actions/dependency_update.rst | 14 ----- doc/github_actions/github_actions.rst | 1 - .../features/github_workflows/index.rst | 14 +++++ .../github/workflows/dependency-update.yml | 19 +++--- 5 files changed, 69 insertions(+), 42 deletions(-) delete mode 100644 doc/github_actions/dependency_update.rst diff --git a/.github/workflows/dependency-update.yml b/.github/workflows/dependency-update.yml index 69b7a1dff1..a485ae9eb7 100644 --- a/.github/workflows/dependency-update.yml +++ b/.github/workflows/dependency-update.yml @@ -5,6 +5,7 @@ on: # Every Monday at 03:00 UTC - cron: "0 3 * * 1" workflow_dispatch: + workflow_call: jobs: dependency-update: @@ -18,6 +19,8 @@ jobs: - name: Check out Repository id: check-out-repository uses: actions/checkout@v6 + with: + fetch-depth: 0 - name: Set up Python & Poetry Environment id: set-up-python-and-poetry-environment @@ -28,14 +31,19 @@ jobs: - name: Audit Dependencies id: audit-dependencies - run: poetry run -- nox -s dependency:audit + run: | + poetry run -- nox -s dependency:audit | tee vulnerabilities.json + LENGTH=$(jq 'length' vulnerabilities.json) + echo "count=$LENGTH" >> "$GITHUB_OUTPUT" - name: Update Dependencies id: update-dependencies + if: steps.audit-dependencies.outputs.count > 0 run: poetry update - name: Check for poetry.lock Changes id: check-for-poetry-lock-changes + if: steps.audit-dependencies.outputs.count > 0 run: | if git diff --quiet -- poetry.lock; then echo "changed=false" >> "$GITHUB_OUTPUT" @@ -43,18 +51,43 @@ jobs: echo "changed=true" >> "$GITHUB_OUTPUT" fi - - name: Create Pull Request - id: create-pull-request + - name: Configure git + id: configure-git if: steps.check-for-poetry-lock-changes.outputs.changed == 'true' - uses: peter-evans/create-pull-request@v7 - with: - commit-message: "Update poetry.lock" - branch: dependency-update/poetry-lock - delete-branch: true - title: "Update poetry.lock" - body: |- - Automated dependency update for `poetry.lock`. - - This PR was created by the dependency update workflow after running: - - `poetry run -- nox -s dependency:audit` - - `poetry update` + run: | + git config --global user.email "opensource@exasol.com" + git config --global user.name "Automatic Dependency Updater" + + - name: Create branch + id: create-branch + if: steps.check-for-poetry-lock-changes.outputs.changed == 'true' && github.ref == 'refs/heads/main' + run: | + branch_name="dependency-update/$(date "+%Y%m%d%H%M%S")" + echo "Creating branch $branch_name" + git checkout -b "$branch_name" + + - name: Commit changes & push + id: publish-branch + if: steps.check-for-poetry-lock-changes.outputs.changed == 'true' && startsWith(github.ref, 'refs/heads/') + run: | + branch_name=$(git rev-parse --abbrev-ref HEAD) + git add poetry.lock + git commit --message "Update poetry.lock" + git push --set-upstream origin "$branch_name" + + - name: Create pull request + id: create-pr + if: steps.check-for-poetry-lock-changes.outputs.changed == 'true' && github.ref == 'refs/heads/main' + env: + GH_TOKEN: ${{ github.token }} + run: |- + BASE_BRANCH=$(gh repo view --json defaultBranchRef -q .defaultBranchRef.name) + + gh pr create \ + --base "$BASE_BRANCH" \ + --title "Update poetry.lock" \ + --body "Automated dependency update for \`poetry.lock\`. + + This PR was created by the dependency update workflow after running: + - \`poetry run -- nox -s dependency:audit\` + - \`poetry update\`" diff --git a/doc/github_actions/dependency_update.rst b/doc/github_actions/dependency_update.rst deleted file mode 100644 index 807ffeefdd..0000000000 --- a/doc/github_actions/dependency_update.rst +++ /dev/null @@ -1,14 +0,0 @@ -dependency-update -================= - -This workflow updates the project dependencies using Poetry. - -It first runs a dependency audit via ``nox -s dependency:audit`` and then updates the dependencies using ``poetry update``. -If the ``poetry.lock`` file changes, a pull request is created automatically. - -Example Usage -------------- - -.. code-block:: bash - - tbx workflow install dependency-update \ No newline at end of file diff --git a/doc/github_actions/github_actions.rst b/doc/github_actions/github_actions.rst index d9798ac602..e9139e8869 100644 --- a/doc/github_actions/github_actions.rst +++ b/doc/github_actions/github_actions.rst @@ -8,4 +8,3 @@ python_environment security_issues - dependency_update diff --git a/doc/user_guide/features/github_workflows/index.rst b/doc/user_guide/features/github_workflows/index.rst index 6b6e8f7fc6..b465c9610d 100644 --- a/doc/user_guide/features/github_workflows/index.rst +++ b/doc/user_guide/features/github_workflows/index.rst @@ -61,6 +61,9 @@ Workflows - Pull request and monthly - Executes the continuous integration suite by calling ``merge-gate.yml`` and ``report.yml``. See :ref:`ci_yml` for a graph of workflow calls. + * - ``dependency-update.yml`` + - Weekly and manual + - Audits project dependencies for known vulnerabilities, updates them with Poetry when needed, and creates a pull request if ``poetry.lock`` changes. * - ``gh-pages.yml`` - Workflow call - Builds the documentation and deploys it to GitHub Pages. @@ -99,6 +102,17 @@ Workflows CI Actions ---------- +Dependency Update +^^^^^^^^^^^^^^^^^ + +The ``dependency-update.yml`` workflow helps keep project dependencies up to date. + +It can be triggered manually and is also scheduled to run weekly. + +The workflow first audits dependencies for known vulnerabilities. If vulnerabilities +are detected, it updates the dependencies using Poetry. When ``poetry.lock`` changes, +it creates a pull request with the update. + .. _ci_yml: Pull Request diff --git a/exasol/toolbox/templates/github/workflows/dependency-update.yml b/exasol/toolbox/templates/github/workflows/dependency-update.yml index 45244b37eb..bd935cf4ba 100644 --- a/exasol/toolbox/templates/github/workflows/dependency-update.yml +++ b/exasol/toolbox/templates/github/workflows/dependency-update.yml @@ -5,12 +5,11 @@ on: # Every Monday at 03:00 UTC - cron: "0 3 * * 1" workflow_dispatch: - workflow_call: jobs: dependency-update: name: Dependency Update - runs-on: "ubuntu-24.04" + runs-on: "(( os_version ))" permissions: contents: write pull-requests: write @@ -26,12 +25,11 @@ jobs: id: set-up-python-and-poetry-environment uses: exasol/python-toolbox/.github/actions/python-environment@v6 with: - python-version: "3.10" - poetry-version: "2.3.0" + python-version: "(( minimum_python_version ))" + poetry-version: "(( dependency_manager_version ))" - name: Audit Dependencies id: audit-dependencies - shell: bash run: | poetry run -- nox -s dependency:audit | tee vulnerabilities.json LENGTH=$(jq 'length' vulnerabilities.json) @@ -45,7 +43,6 @@ jobs: - name: Check for poetry.lock Changes id: check-for-poetry-lock-changes if: steps.audit-dependencies.outputs.count > 0 - shell: bash run: | if git diff --quiet -- poetry.lock; then echo "changed=false" >> "$GITHUB_OUTPUT" @@ -56,7 +53,6 @@ jobs: - name: Configure git id: configure-git if: steps.check-for-poetry-lock-changes.outputs.changed == 'true' - shell: bash run: | git config --global user.email "opensource@exasol.com" git config --global user.name "Automatic Dependency Updater" @@ -64,16 +60,14 @@ jobs: - name: Create branch id: create-branch if: steps.check-for-poetry-lock-changes.outputs.changed == 'true' && github.ref == 'refs/heads/main' - shell: bash run: | - branch_name="dependency-update/poetry-lock" + branch_name="dependency-update/$(date "+%Y%m%d%H%M%S")" echo "Creating branch $branch_name" git checkout -b "$branch_name" - name: Commit changes & push id: publish-branch if: steps.check-for-poetry-lock-changes.outputs.changed == 'true' && startsWith(github.ref, 'refs/heads/') - shell: bash run: | branch_name=$(git rev-parse --abbrev-ref HEAD) git add poetry.lock @@ -85,10 +79,11 @@ jobs: if: steps.check-for-poetry-lock-changes.outputs.changed == 'true' && github.ref == 'refs/heads/main' env: GH_TOKEN: ${{ github.token }} - shell: bash run: | + BASE_BRANCH=$(gh repo view --json defaultBranchRef -q .defaultBranchRef.name) + gh pr create \ - --base main \ + --base "$BASE_BRANCH" \ --title "Update poetry.lock" \ --body "Automated dependency update for \`poetry.lock\`. From cea77fd6af2bb0927d9bc1ce3bb08f6c70fe189d Mon Sep 17 00:00:00 2001 From: Rimsha Masood Date: Mon, 20 Apr 2026 11:49:11 +0200 Subject: [PATCH 04/16] Improve dependency update workflow, tests, and docs --- .../features/github_workflows/index.rst | 8 ++--- .../github/workflows/dependency-update.yml | 18 +++++++--- .../tools/workflow_integration_test.py | 36 +++++++++++-------- 3 files changed, 39 insertions(+), 23 deletions(-) diff --git a/doc/user_guide/features/github_workflows/index.rst b/doc/user_guide/features/github_workflows/index.rst index aaa8431b07..95ecb3612b 100644 --- a/doc/user_guide/features/github_workflows/index.rst +++ b/doc/user_guide/features/github_workflows/index.rst @@ -63,7 +63,7 @@ Workflows ``report.yml``. See :ref:`ci_yml` for a graph of workflow calls. * - ``dependency-update.yml`` - Weekly and manual - - Audits project dependencies for known vulnerabilities, updates them with Poetry when needed, and creates a pull request if ``poetry.lock`` changes. + - Audits project dependencies for known vulnerabilities, updates them with Poetry when needed, and creates a pull request if the ``poetry.lock`` was changed. * - ``gh-pages.yml`` - Workflow call - Builds the documentation and deploys it to GitHub Pages. @@ -105,13 +105,13 @@ CI Actions Dependency Update ^^^^^^^^^^^^^^^^^ -The ``dependency-update.yml`` workflow helps keep project dependencies up to date. +The ``dependency-update.yml`` workflow is used to resolve vulnerabilities by updating our project dependencies. It can be triggered manually and is also scheduled to run weekly. The workflow first audits dependencies for known vulnerabilities. If vulnerabilities -are detected, it updates the dependencies using Poetry. When ``poetry.lock`` changes, -it creates a pull request with the update. +are detected, it updates the dependencies using Poetry. When the ``poetry.lock`` is changed, +then it creates a pull request with the update. .. _ci_yml: diff --git a/exasol/toolbox/templates/github/workflows/dependency-update.yml b/exasol/toolbox/templates/github/workflows/dependency-update.yml index bd935cf4ba..7acca3b228 100644 --- a/exasol/toolbox/templates/github/workflows/dependency-update.yml +++ b/exasol/toolbox/templates/github/workflows/dependency-update.yml @@ -21,6 +21,14 @@ jobs: with: fetch-depth: 0 + - name: Fail if not running on the default branch + id: check-branch + if: github.ref != format('refs/heads/{0}', github.event.repository.default_branch) + uses: actions/github-script@v8 + with: + script: | + core.setFailed('Not running on the default branch. github.ref is ${{ github.ref }}') + - name: Set up Python & Poetry Environment id: set-up-python-and-poetry-environment uses: exasol/python-toolbox/.github/actions/python-environment@v6 @@ -59,15 +67,15 @@ jobs: - name: Create branch id: create-branch - if: steps.check-for-poetry-lock-changes.outputs.changed == 'true' && github.ref == 'refs/heads/main' + if: steps.check-for-poetry-lock-changes.outputs.changed == 'true' run: | branch_name="dependency-update/$(date "+%Y%m%d%H%M%S")" echo "Creating branch $branch_name" - git checkout -b "$branch_name" + git switch -C "$branch_name" - name: Commit changes & push id: publish-branch - if: steps.check-for-poetry-lock-changes.outputs.changed == 'true' && startsWith(github.ref, 'refs/heads/') + if: steps.check-for-poetry-lock-changes.outputs.changed == 'true' run: | branch_name=$(git rev-parse --abbrev-ref HEAD) git add poetry.lock @@ -76,7 +84,7 @@ jobs: - name: Create pull request id: create-pr - if: steps.check-for-poetry-lock-changes.outputs.changed == 'true' && github.ref == 'refs/heads/main' + if: steps.check-for-poetry-lock-changes.outputs.changed == 'true' env: GH_TOKEN: ${{ github.token }} run: | @@ -84,7 +92,7 @@ jobs: gh pr create \ --base "$BASE_BRANCH" \ - --title "Update poetry.lock" \ + --title "Update dependencies to fix vulnerabilities ($(date '+%Y-%m-%d'))" \ --body "Automated dependency update for \`poetry.lock\`. This PR was created by the dependency update workflow after running: diff --git a/test/integration/tools/workflow_integration_test.py b/test/integration/tools/workflow_integration_test.py index 4f8cbed7f1..cc5707e366 100644 --- a/test/integration/tools/workflow_integration_test.py +++ b/test/integration/tools/workflow_integration_test.py @@ -34,20 +34,28 @@ def test_with_columns(cli_runner): result = cli_runner.invoke(CLI, ["list", "--columns"]) assert result.exit_code == 0 - assert "build-and-publish" in result.output - assert "cd" in result.output - assert "check-release-tag" in result.output - assert "checks" in result.output - assert "ci" in result.output - assert "dependency-update" in result.output - assert "gh-pages" in result.output - assert "matrix-all" in result.output - assert "matrix-exasol" in result.output - assert "matrix-python" in result.output - assert "merge-gate" in result.output - assert "pr-merge" in result.output - assert "report" in result.output - assert "slow-checks" in result.output + + expected_substrings = """ + build-and-publish + cd + check-release-tag + checks + ci + dependency-update + gh-pages + matrix-all + matrix-exasol + matrix-python + merge-gate + pr-merge + report + slow-checks + """ + + actual = set(result.output.split()) + expected = set(expected_substrings.split()) + + assert expected.issubset(actual) def test_show_workflow(cli_runner): From 49145b9451436b6cb5a347db59e0be911627cee2 Mon Sep 17 00:00:00 2001 From: Ariel Schulz Date: Wed, 29 Apr 2026 13:06:14 +0200 Subject: [PATCH 05/16] Fix release:prepare test --- exasol/toolbox/util/dependencies/audit.py | 2 +- test/unit/util/dependencies/audit_test.py | 8 +++++++- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/exasol/toolbox/util/dependencies/audit.py b/exasol/toolbox/util/dependencies/audit.py index 7a18cc3e7c..5d31b3bf98 100644 --- a/exasol/toolbox/util/dependencies/audit.py +++ b/exasol/toolbox/util/dependencies/audit.py @@ -260,7 +260,7 @@ def load_from_pip_audit(cls, working_directory: Path) -> Vulnerabilities: vulnerabilities = [] for entry in audit_dict["dependencies"]: - for vuln_entry in entry["vulns"]: + for vuln_entry in entry.get("vulns", []): vulnerabilities.append( Vulnerability.from_audit_entry( package_name=entry["name"], diff --git a/test/unit/util/dependencies/audit_test.py b/test/unit/util/dependencies/audit_test.py index cc414b0d23..d34bc88f1c 100644 --- a/test/unit/util/dependencies/audit_test.py +++ b/test/unit/util/dependencies/audit_test.py @@ -240,7 +240,13 @@ class TestVulnerabilities: @staticmethod def test_with_no_vulnerabilities(): pip_audit_dict = { - "dependencies": [{"name": "alabaster", "version": "0.7.16", "vulns": []}] + "dependencies": [ + { + "name": "exasol-toolbox", + "skip_reason": "Dependency not found on PyPI and could not be audited: exasol-toolbox (7.0.0)", + }, + {"name": "alabaster", "version": "0.7.16", "vulns": []}, + ] } pip_audit_json = json.dumps(pip_audit_dict) From bf382434cfe950a74dd3329dbd6655a8801c7034 Mon Sep 17 00:00:00 2001 From: Ariel Schulz Date: Wed, 29 Apr 2026 13:22:02 +0200 Subject: [PATCH 06/16] Update PTB workflows to 7.0.0 --- .github/workflows/build-and-publish.yml | 2 +- .github/workflows/check-release-tag.yml | 2 +- .github/workflows/checks.yml | 16 ++++++++-------- .github/workflows/dependency-update.yml | 19 +++++++++++++------ .github/workflows/gh-pages.yml | 2 +- .github/workflows/matrix-all.yml | 2 +- .github/workflows/matrix-exasol.yml | 2 +- .github/workflows/matrix-python.yml | 2 +- .github/workflows/report.yml | 2 +- .github/workflows/slow-checks.yml | 2 +- 10 files changed, 29 insertions(+), 22 deletions(-) diff --git a/.github/workflows/build-and-publish.yml b/.github/workflows/build-and-publish.yml index 9ba56f8d6f..867d79c9b6 100644 --- a/.github/workflows/build-and-publish.yml +++ b/.github/workflows/build-and-publish.yml @@ -19,7 +19,7 @@ jobs: - name: Set up Python & Poetry Environment id: set-up-python-and-poetry-environment - uses: exasol/python-toolbox/.github/actions/python-environment@v6 + uses: exasol/python-toolbox/.github/actions/python-environment@v7 with: python-version: "3.10" poetry-version: "2.3.0" diff --git a/.github/workflows/check-release-tag.yml b/.github/workflows/check-release-tag.yml index 5423c11a4f..f099fa94ee 100644 --- a/.github/workflows/check-release-tag.yml +++ b/.github/workflows/check-release-tag.yml @@ -17,7 +17,7 @@ jobs: - name: Set up Python & Poetry Environment id: set-up-python-and-poetry-environment - uses: exasol/python-toolbox/.github/actions/python-environment@v6 + uses: exasol/python-toolbox/.github/actions/python-environment@v7 with: python-version: "3.10" poetry-version: "2.3.0" diff --git a/.github/workflows/checks.yml b/.github/workflows/checks.yml index a258fef3ac..064a7fca55 100644 --- a/.github/workflows/checks.yml +++ b/.github/workflows/checks.yml @@ -16,7 +16,7 @@ jobs: - name: Set up Python & Poetry Environment id: set-up-python-and-poetry-environment - uses: exasol/python-toolbox/.github/actions/python-environment@v6 + uses: exasol/python-toolbox/.github/actions/python-environment@v7 with: python-version: "3.10" poetry-version: "2.3.0" @@ -42,7 +42,7 @@ jobs: - name: Set up Python & Poetry Environment id: set-up-python-and-poetry-environment - uses: exasol/python-toolbox/.github/actions/python-environment@v6 + uses: exasol/python-toolbox/.github/actions/python-environment@v7 with: python-version: "3.10" poetry-version: "2.3.0" @@ -67,7 +67,7 @@ jobs: - name: Set up Python & Poetry Environment id: set-up-python-and-poetry-environment - uses: exasol/python-toolbox/.github/actions/python-environment@v6 + uses: exasol/python-toolbox/.github/actions/python-environment@v7 with: python-version: ${{ matrix.python-versions }} poetry-version: "2.3.0" @@ -102,7 +102,7 @@ jobs: - name: Set up Python & Poetry Environment id: set-up-python-and-poetry-environment - uses: exasol/python-toolbox/.github/actions/python-environment@v6 + uses: exasol/python-toolbox/.github/actions/python-environment@v7 with: python-version: ${{ matrix.python-versions }} poetry-version: "2.3.0" @@ -128,7 +128,7 @@ jobs: - name: Set up Python & Poetry Environment id: set-up-python-and-poetry-environment - uses: exasol/python-toolbox/.github/actions/python-environment@v6 + uses: exasol/python-toolbox/.github/actions/python-environment@v7 with: python-version: ${{ matrix.python-versions }} poetry-version: "2.3.0" @@ -157,7 +157,7 @@ jobs: - name: Set up Python & Poetry Environment id: set-up-python-and-poetry-environment - uses: exasol/python-toolbox/.github/actions/python-environment@v6 + uses: exasol/python-toolbox/.github/actions/python-environment@v7 with: python-version: "3.10" poetry-version: "2.3.0" @@ -179,7 +179,7 @@ jobs: - name: Set up Python & Poetry Environment id: set-up-python-and-poetry-environment - uses: exasol/python-toolbox/.github/actions/python-environment@v6 + uses: exasol/python-toolbox/.github/actions/python-environment@v7 with: python-version: "3.10" poetry-version: "2.3.0" @@ -227,7 +227,7 @@ jobs: fetch-depth: 0 - name: Set up Python & Poetry Environment id: set-up-python-and-poetry-environment - uses: exasol/python-toolbox/.github/actions/python-environment@v6 + uses: exasol/python-toolbox/.github/actions/python-environment@v7 with: python-version: ${{ matrix.python-versions }} poetry-version: "2.3.0" diff --git a/.github/workflows/dependency-update.yml b/.github/workflows/dependency-update.yml index a485ae9eb7..b2b4fb940e 100644 --- a/.github/workflows/dependency-update.yml +++ b/.github/workflows/dependency-update.yml @@ -5,7 +5,6 @@ on: # Every Monday at 03:00 UTC - cron: "0 3 * * 1" workflow_dispatch: - workflow_call: jobs: dependency-update: @@ -22,6 +21,14 @@ jobs: with: fetch-depth: 0 + - name: Fail if not running on the default branch + id: check-branch + if: github.ref != format('refs/heads/{0}', github.event.repository.default_branch) + uses: actions/github-script@v8 + with: + script: | + core.setFailed('Not running on the default branch. github.ref is ${{ github.ref }}') + - name: Set up Python & Poetry Environment id: set-up-python-and-poetry-environment uses: exasol/python-toolbox/.github/actions/python-environment@v6 @@ -60,15 +67,15 @@ jobs: - name: Create branch id: create-branch - if: steps.check-for-poetry-lock-changes.outputs.changed == 'true' && github.ref == 'refs/heads/main' + if: steps.check-for-poetry-lock-changes.outputs.changed == 'true' run: | branch_name="dependency-update/$(date "+%Y%m%d%H%M%S")" echo "Creating branch $branch_name" - git checkout -b "$branch_name" + git switch -C "$branch_name" - name: Commit changes & push id: publish-branch - if: steps.check-for-poetry-lock-changes.outputs.changed == 'true' && startsWith(github.ref, 'refs/heads/') + if: steps.check-for-poetry-lock-changes.outputs.changed == 'true' run: | branch_name=$(git rev-parse --abbrev-ref HEAD) git add poetry.lock @@ -77,7 +84,7 @@ jobs: - name: Create pull request id: create-pr - if: steps.check-for-poetry-lock-changes.outputs.changed == 'true' && github.ref == 'refs/heads/main' + if: steps.check-for-poetry-lock-changes.outputs.changed == 'true' env: GH_TOKEN: ${{ github.token }} run: |- @@ -85,7 +92,7 @@ jobs: gh pr create \ --base "$BASE_BRANCH" \ - --title "Update poetry.lock" \ + --title "Update dependencies to fix vulnerabilities ($(date '+%Y-%m-%d'))" \ --body "Automated dependency update for \`poetry.lock\`. This PR was created by the dependency update workflow after running: diff --git a/.github/workflows/gh-pages.yml b/.github/workflows/gh-pages.yml index 147d0453a8..73c74dc99f 100644 --- a/.github/workflows/gh-pages.yml +++ b/.github/workflows/gh-pages.yml @@ -19,7 +19,7 @@ jobs: - name: Set up Python & Poetry Environment id: set-up-python-and-poetry-environment - uses: exasol/python-toolbox/.github/actions/python-environment@v6 + uses: exasol/python-toolbox/.github/actions/python-environment@v7 with: python-version: "3.10" poetry-version: "2.3.0" diff --git a/.github/workflows/matrix-all.yml b/.github/workflows/matrix-all.yml index 69a5aa4b4f..558f5ef672 100644 --- a/.github/workflows/matrix-all.yml +++ b/.github/workflows/matrix-all.yml @@ -19,7 +19,7 @@ jobs: - name: Set up Python & Poetry Environment id: set-up-python-and-poetry-environment - uses: exasol/python-toolbox/.github/actions/python-environment@v6 + uses: exasol/python-toolbox/.github/actions/python-environment@v7 with: python-version: "3.10" poetry-version: "2.3.0" diff --git a/.github/workflows/matrix-exasol.yml b/.github/workflows/matrix-exasol.yml index 44b5cfd985..a64b88c3f6 100644 --- a/.github/workflows/matrix-exasol.yml +++ b/.github/workflows/matrix-exasol.yml @@ -19,7 +19,7 @@ jobs: - name: Set up Python & Poetry Environment id: set-up-python-and-poetry-environment - uses: exasol/python-toolbox/.github/actions/python-environment@v6 + uses: exasol/python-toolbox/.github/actions/python-environment@v7 with: python-version: "3.10" poetry-version: "2.3.0" diff --git a/.github/workflows/matrix-python.yml b/.github/workflows/matrix-python.yml index 328799b6c9..e68fd4d1e7 100644 --- a/.github/workflows/matrix-python.yml +++ b/.github/workflows/matrix-python.yml @@ -19,7 +19,7 @@ jobs: - name: Set up Python & Poetry Environment id: set-up-python-and-poetry-environment - uses: exasol/python-toolbox/.github/actions/python-environment@v6 + uses: exasol/python-toolbox/.github/actions/python-environment@v7 with: python-version: "3.10" poetry-version: "2.3.0" diff --git a/.github/workflows/report.yml b/.github/workflows/report.yml index 8790ca1ab2..7612aeba7e 100644 --- a/.github/workflows/report.yml +++ b/.github/workflows/report.yml @@ -20,7 +20,7 @@ jobs: - name: Set up Python & Poetry Environment id: set-up-python-and-poetry-environment - uses: exasol/python-toolbox/.github/actions/python-environment@v6 + uses: exasol/python-toolbox/.github/actions/python-environment@v7 with: python-version: "3.10" poetry-version: "2.3.0" diff --git a/.github/workflows/slow-checks.yml b/.github/workflows/slow-checks.yml index 8f1b55e42e..46ed19863c 100644 --- a/.github/workflows/slow-checks.yml +++ b/.github/workflows/slow-checks.yml @@ -29,7 +29,7 @@ jobs: - name: Set up Python & Poetry Environment id: set-up-python-and-poetry-environment - uses: exasol/python-toolbox/.github/actions/python-environment@v6 + uses: exasol/python-toolbox/.github/actions/python-environment@v7 with: python-version: ${{ matrix.python-version }} poetry-version: "2.3.0" From b59c5b5391cc524c5f09e4ea35ed1688b3af15af Mon Sep 17 00:00:00 2001 From: Ariel Schulz Date: Mon, 4 May 2026 11:59:04 +0200 Subject: [PATCH 07/16] Add Slack reporting hook --- .github/workflows/dependency-update.yml | 27 ++++++++++++++----- .../github/workflows/dependency-update.yml | 25 +++++++++++++---- 2 files changed, 41 insertions(+), 11 deletions(-) diff --git a/.github/workflows/dependency-update.yml b/.github/workflows/dependency-update.yml index b2b4fb940e..33b3737e04 100644 --- a/.github/workflows/dependency-update.yml +++ b/.github/workflows/dependency-update.yml @@ -87,14 +87,29 @@ jobs: if: steps.check-for-poetry-lock-changes.outputs.changed == 'true' env: GH_TOKEN: ${{ github.token }} - run: |- + run: | BASE_BRANCH=$(gh repo view --json defaultBranchRef -q .defaultBranchRef.name) - gh pr create \ - --base "$BASE_BRANCH" \ - --title "Update dependencies to fix vulnerabilities ($(date '+%Y-%m-%d'))" \ - --body "Automated dependency update for \`poetry.lock\`. - + PR_BODY="Automated dependency update for \`poetry.lock\`. This PR was created by the dependency update workflow after running: - \`poetry run -- nox -s dependency:audit\` - \`poetry update\`" + + PR_URL=$(gh pr create \ + --base "$BASE_BRANCH" \ + --title "Update dependencies to fix vulnerabilities ($(date '+%Y-%m-%d'))" \ + --body "$PR_BODY") + + echo "pr_url=$PR_URL" >> "$GITHUB_OUTPUT" + + - name: Report new Pull Request to Slack channel + id: report-pr-slack + if: ${{ steps.create-pr.outputs.pr_url }} + uses: ravsamhq/notify-slack-action@v2 + with: + status: '${{ job.status }}' + token: '${{ secrets.GITHUB_TOKEN }}' + notification_title: 'Dependency update for {repo} created a Pull Request' + message_format: '{workflow} created Pull Request ${{ steps.create-pr.outputs.pr_url }}' + env: + SLACK_WEBHOOK_URL: '${{ secrets.INTEGRATION_TEAM_SECURITY_UPDATES_WEBHOOK }}' diff --git a/exasol/toolbox/templates/github/workflows/dependency-update.yml b/exasol/toolbox/templates/github/workflows/dependency-update.yml index 7acca3b228..de740a74ed 100644 --- a/exasol/toolbox/templates/github/workflows/dependency-update.yml +++ b/exasol/toolbox/templates/github/workflows/dependency-update.yml @@ -90,11 +90,26 @@ jobs: run: | BASE_BRANCH=$(gh repo view --json defaultBranchRef -q .defaultBranchRef.name) - gh pr create \ - --base "$BASE_BRANCH" \ - --title "Update dependencies to fix vulnerabilities ($(date '+%Y-%m-%d'))" \ - --body "Automated dependency update for \`poetry.lock\`. - + PR_BODY="Automated dependency update for \`poetry.lock\`. This PR was created by the dependency update workflow after running: - \`poetry run -- nox -s dependency:audit\` - \`poetry update\`" + + PR_URL=$(gh pr create \ + --base "$BASE_BRANCH" \ + --title "Update dependencies to fix vulnerabilities ($(date '+%Y-%m-%d'))" \ + --body "$PR_BODY") + + echo "pr_url=$PR_URL" >> "$GITHUB_OUTPUT" + + - name: Report new Pull Request to Slack channel + id: report-pr-slack + if: ${{ steps.create-pr.outputs.pr_url }} + uses: ravsamhq/notify-slack-action@v2 + with: + status: '${{ job.status }}' + token: '${{ secrets.GITHUB_TOKEN }}' + notification_title: 'Dependency update for {repo} created a Pull Request' + message_format: '{workflow} created Pull Request ${{ steps.create-pr.outputs.pr_url }}' + env: + SLACK_WEBHOOK_URL: '${{ secrets.INTEGRATION_TEAM_SECURITY_UPDATES_WEBHOOK }}' From 85c89d23233f485b79088d88b089b4ff91f83211 Mon Sep 17 00:00:00 2001 From: Ariel Schulz Date: Mon, 4 May 2026 12:00:57 +0200 Subject: [PATCH 08/16] Add entry to unreleased.md changelog --- doc/changes/unreleased.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/doc/changes/unreleased.md b/doc/changes/unreleased.md index fb4737052b..48f82d4ae1 100644 --- a/doc/changes/unreleased.md +++ b/doc/changes/unreleased.md @@ -1,3 +1,7 @@ # Unreleased ## Summary + +## Features + +* #756: Added `dependency-update.yml` to automate resolving vulnerabilities with a generated pull request From a882d411d88f61f6794c68d67e0ffb825ba3f95e Mon Sep 17 00:00:00 2001 From: Rimsha Masood <144063231+Rimsha2535@users.noreply.github.com> Date: Wed, 6 May 2026 10:44:23 +0200 Subject: [PATCH 09/16] Update .github/workflows/dependency-update.yml Co-authored-by: Christoph Kuhnke --- .github/workflows/dependency-update.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/dependency-update.yml b/.github/workflows/dependency-update.yml index 33b3737e04..5ab74cef37 100644 --- a/.github/workflows/dependency-update.yml +++ b/.github/workflows/dependency-update.yml @@ -69,7 +69,7 @@ jobs: id: create-branch if: steps.check-for-poetry-lock-changes.outputs.changed == 'true' run: | - branch_name="dependency-update/$(date "+%Y%m%d%H%M%S")" + branch_name="dependency-update/$(date "+%Y-%m-%d_%H:%M:%S")" echo "Creating branch $branch_name" git switch -C "$branch_name" From eec5503f661bf3ea43e77b3509d3c61ed4deb22d Mon Sep 17 00:00:00 2001 From: Rimsha Masood <144063231+Rimsha2535@users.noreply.github.com> Date: Wed, 6 May 2026 10:44:41 +0200 Subject: [PATCH 10/16] Update .github/workflows/dependency-update.yml Co-authored-by: Christoph Kuhnke --- .github/workflows/dependency-update.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/dependency-update.yml b/.github/workflows/dependency-update.yml index 5ab74cef37..162f185cc4 100644 --- a/.github/workflows/dependency-update.yml +++ b/.github/workflows/dependency-update.yml @@ -79,7 +79,7 @@ jobs: run: | branch_name=$(git rev-parse --abbrev-ref HEAD) git add poetry.lock - git commit --message "Update poetry.lock" + git commit --message "Updated poetry.lock" git push --set-upstream origin "$branch_name" - name: Create pull request From 4bb47a9ce84a9a01cde70b28db22bb85bcce2485 Mon Sep 17 00:00:00 2001 From: Rimsha Masood <144063231+Rimsha2535@users.noreply.github.com> Date: Wed, 6 May 2026 10:44:58 +0200 Subject: [PATCH 11/16] Update .github/workflows/dependency-update.yml Co-authored-by: Christoph Kuhnke --- .github/workflows/dependency-update.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/dependency-update.yml b/.github/workflows/dependency-update.yml index 162f185cc4..693966d133 100644 --- a/.github/workflows/dependency-update.yml +++ b/.github/workflows/dependency-update.yml @@ -102,7 +102,7 @@ jobs: echo "pr_url=$PR_URL" >> "$GITHUB_OUTPUT" - - name: Report new Pull Request to Slack channel + - name: Report New Pull Request to Slack Channel id: report-pr-slack if: ${{ steps.create-pr.outputs.pr_url }} uses: ravsamhq/notify-slack-action@v2 From a4c95e325ff4d919b2fe2b6cfaa859676d7a3cc4 Mon Sep 17 00:00:00 2001 From: Rimsha Masood <144063231+Rimsha2535@users.noreply.github.com> Date: Wed, 6 May 2026 10:45:11 +0200 Subject: [PATCH 12/16] Update .github/workflows/dependency-update.yml Co-authored-by: Christoph Kuhnke --- .github/workflows/dependency-update.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/dependency-update.yml b/.github/workflows/dependency-update.yml index 693966d133..4f22cf78c7 100644 --- a/.github/workflows/dependency-update.yml +++ b/.github/workflows/dependency-update.yml @@ -82,7 +82,7 @@ jobs: git commit --message "Updated poetry.lock" git push --set-upstream origin "$branch_name" - - name: Create pull request + - name: Create Pull Request id: create-pr if: steps.check-for-poetry-lock-changes.outputs.changed == 'true' env: From 8ec9d68308172fb47b7a8b2aebdd9ab67a77b408 Mon Sep 17 00:00:00 2001 From: Rimsha Masood <144063231+Rimsha2535@users.noreply.github.com> Date: Wed, 6 May 2026 10:45:26 +0200 Subject: [PATCH 13/16] Update .github/workflows/dependency-update.yml Co-authored-by: Christoph Kuhnke --- .github/workflows/dependency-update.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/dependency-update.yml b/.github/workflows/dependency-update.yml index 4f22cf78c7..6268b50187 100644 --- a/.github/workflows/dependency-update.yml +++ b/.github/workflows/dependency-update.yml @@ -73,7 +73,7 @@ jobs: echo "Creating branch $branch_name" git switch -C "$branch_name" - - name: Commit changes & push + - name: Commit Changes & Push id: publish-branch if: steps.check-for-poetry-lock-changes.outputs.changed == 'true' run: | From 9e1800711d0a1684aa8d07f5c52f3f9a47698370 Mon Sep 17 00:00:00 2001 From: Rimsha Masood Date: Mon, 4 May 2026 11:00:10 +0200 Subject: [PATCH 14/16] Add slack_hook --- .../templates/github/workflows/dependency-update.yml | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/exasol/toolbox/templates/github/workflows/dependency-update.yml b/exasol/toolbox/templates/github/workflows/dependency-update.yml index de740a74ed..7269f28f63 100644 --- a/exasol/toolbox/templates/github/workflows/dependency-update.yml +++ b/exasol/toolbox/templates/github/workflows/dependency-update.yml @@ -102,6 +102,14 @@ jobs: echo "pr_url=$PR_URL" >> "$GITHUB_OUTPUT" + pr_url=$(gh pr create \ + --base "$BASE_BRANCH" \ + --title "Update dependencies to fix vulnerabilities ($(date '+%Y-%m-%d'))" \ + --body "Automated dependency update for \`poetry.lock\`.) + echo "pr_url=$pr_url" >> "$GITHUB_OUTPUT" + This PR was created by the dependency update workflow after running: + - \`poetry run -- nox -s dependency:audit\` + - \`poetry update\`" - name: Report new Pull Request to Slack channel id: report-pr-slack if: ${{ steps.create-pr.outputs.pr_url }} @@ -110,6 +118,9 @@ jobs: status: '${{ job.status }}' token: '${{ secrets.GITHUB_TOKEN }}' notification_title: 'Dependency update for {repo} created a Pull Request' + status: '${{ job.status }}', + token: '${{ secrets.GITHUB_TOKEN }}', + notification_title: 'Dependency update for {repo} created a Pull Request', message_format: '{workflow} created Pull Request ${{ steps.create-pr.outputs.pr_url }}' env: SLACK_WEBHOOK_URL: '${{ secrets.INTEGRATION_TEAM_SECURITY_UPDATES_WEBHOOK }}' From ee5f3ab59d34f3384c07a4b466ffc904c435e6cc Mon Sep 17 00:00:00 2001 From: Rimsha Masood Date: Wed, 6 May 2026 11:03:41 +0200 Subject: [PATCH 15/16] Resolve merge conflicts --- .github/workflows/merge-gate.yml | 9 +-------- 1 file changed, 1 insertion(+), 8 deletions(-) diff --git a/.github/workflows/merge-gate.yml b/.github/workflows/merge-gate.yml index 24200ed937..a4c6a079a8 100644 --- a/.github/workflows/merge-gate.yml +++ b/.github/workflows/merge-gate.yml @@ -48,14 +48,6 @@ jobs: permissions: contents: read - test-python-environment: - name: Test python-environment Action - needs: - - approve-run-slow-tests - uses: ./.github/workflows/test-python-environment.yml - permissions: - contents: read - # This job ensures inputs have been executed successfully. allow-merge: name: Allow Merge @@ -70,6 +62,7 @@ jobs: - test-python-environment # To prevent accidentally merges, this step is required. For more details # see: https://github.com/exasol/python-toolbox/issues/563 + # Each job requires a step, so we added this dummy step. steps: - name: Branch Protection - failure if any ancestor failed or was cancelled if: ${{ contains(needs.*.result, 'failure') || contains(needs.*.result, 'cancelled') }} From 6f64290d6d54f295eba8aba224c5b6d14096658b Mon Sep 17 00:00:00 2001 From: Rimsha Masood Date: Wed, 6 May 2026 11:15:48 +0200 Subject: [PATCH 16/16] Copy dependency-update workflow changes to template --- .../templates/github/workflows/dependency-update.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/exasol/toolbox/templates/github/workflows/dependency-update.yml b/exasol/toolbox/templates/github/workflows/dependency-update.yml index 7269f28f63..d65e1d4271 100644 --- a/exasol/toolbox/templates/github/workflows/dependency-update.yml +++ b/exasol/toolbox/templates/github/workflows/dependency-update.yml @@ -69,20 +69,20 @@ jobs: id: create-branch if: steps.check-for-poetry-lock-changes.outputs.changed == 'true' run: | - branch_name="dependency-update/$(date "+%Y%m%d%H%M%S")" + branch_name="dependency-update/$(date "+%Y-%m-%d_%H:%M:%S")" echo "Creating branch $branch_name" git switch -C "$branch_name" - - name: Commit changes & push + - name: Commit Changes & Push id: publish-branch if: steps.check-for-poetry-lock-changes.outputs.changed == 'true' run: | branch_name=$(git rev-parse --abbrev-ref HEAD) git add poetry.lock - git commit --message "Update poetry.lock" + git commit --message "Updated poetry.lock" git push --set-upstream origin "$branch_name" - - name: Create pull request + - name: Create Pull Request id: create-pr if: steps.check-for-poetry-lock-changes.outputs.changed == 'true' env: @@ -110,7 +110,7 @@ jobs: This PR was created by the dependency update workflow after running: - \`poetry run -- nox -s dependency:audit\` - \`poetry update\`" - - name: Report new Pull Request to Slack channel + - name: Report New Pull Request to Slack Channel id: report-pr-slack if: ${{ steps.create-pr.outputs.pr_url }} uses: ravsamhq/notify-slack-action@v2