From fdf9333255b50435890322559603c7bda4ed5771 Mon Sep 17 00:00:00 2001 From: Rimsha Masood Date: Thu, 19 Mar 2026 14:53:36 +0100 Subject: [PATCH 01/12] added dependency-update workflow template --- .github/workflows/dependency-update.yml | 60 +++++++++++++++++++ doc/github_actions/dependency_update.rst | 14 +++++ doc/github_actions/github_actions.rst | 1 + .../github/workflows/dependency-update.yml | 60 +++++++++++++++++++ .../tools/workflow_integration_test.py | 25 +++++--- 5 files changed, 152 insertions(+), 8 deletions(-) create mode 100644 .github/workflows/dependency-update.yml create mode 100644 doc/github_actions/dependency_update.rst create mode 100644 exasol/toolbox/templates/github/workflows/dependency-update.yml diff --git a/.github/workflows/dependency-update.yml b/.github/workflows/dependency-update.yml new file mode 100644 index 0000000000..69b7a1dff1 --- /dev/null +++ b/.github/workflows/dependency-update.yml @@ -0,0 +1,60 @@ +name: Dependency Update + +on: + schedule: + # Every Monday at 03:00 UTC + - cron: "0 3 * * 1" + workflow_dispatch: + +jobs: + dependency-update: + name: Dependency Update + runs-on: "ubuntu-24.04" + permissions: + contents: write + pull-requests: write + + steps: + - name: Check out Repository + id: check-out-repository + uses: actions/checkout@v6 + + - name: Set up Python & Poetry Environment + id: set-up-python-and-poetry-environment + uses: exasol/python-toolbox/.github/actions/python-environment@v6 + with: + python-version: "3.10" + poetry-version: "2.3.0" + + - name: Audit Dependencies + id: audit-dependencies + run: poetry run -- nox -s dependency:audit + + - name: Update Dependencies + id: update-dependencies + run: poetry update + + - name: Check for poetry.lock Changes + id: check-for-poetry-lock-changes + run: | + if git diff --quiet -- poetry.lock; then + echo "changed=false" >> "$GITHUB_OUTPUT" + else + echo "changed=true" >> "$GITHUB_OUTPUT" + fi + + - name: Create Pull Request + id: create-pull-request + if: steps.check-for-poetry-lock-changes.outputs.changed == 'true' + uses: peter-evans/create-pull-request@v7 + with: + commit-message: "Update poetry.lock" + branch: dependency-update/poetry-lock + delete-branch: true + title: "Update poetry.lock" + body: |- + Automated dependency update for `poetry.lock`. + + This PR was created by the dependency update workflow after running: + - `poetry run -- nox -s dependency:audit` + - `poetry update` diff --git a/doc/github_actions/dependency_update.rst b/doc/github_actions/dependency_update.rst new file mode 100644 index 0000000000..807ffeefdd --- /dev/null +++ b/doc/github_actions/dependency_update.rst @@ -0,0 +1,14 @@ +dependency-update +================= + +This workflow updates the project dependencies using Poetry. + +It first runs a dependency audit via ``nox -s dependency:audit`` and then updates the dependencies using ``poetry update``. +If the ``poetry.lock`` file changes, a pull request is created automatically. + +Example Usage +------------- + +.. code-block:: bash + + tbx workflow install dependency-update \ No newline at end of file diff --git a/doc/github_actions/github_actions.rst b/doc/github_actions/github_actions.rst index e9139e8869..d9798ac602 100644 --- a/doc/github_actions/github_actions.rst +++ b/doc/github_actions/github_actions.rst @@ -8,3 +8,4 @@ python_environment security_issues + dependency_update diff --git a/exasol/toolbox/templates/github/workflows/dependency-update.yml b/exasol/toolbox/templates/github/workflows/dependency-update.yml new file mode 100644 index 0000000000..45f5a145f2 --- /dev/null +++ b/exasol/toolbox/templates/github/workflows/dependency-update.yml @@ -0,0 +1,60 @@ +name: Dependency Update + +on: + schedule: + # Every Monday at 03:00 UTC + - cron: "0 3 * * 1" + workflow_dispatch: + +jobs: + dependency-update: + name: Dependency Update + runs-on: "(( os_version ))" + permissions: + contents: write + pull-requests: write + + steps: + - name: Check out Repository + id: check-out-repository + uses: actions/checkout@v6 + + - name: Set up Python & Poetry Environment + id: set-up-python-and-poetry-environment + uses: exasol/python-toolbox/.github/actions/python-environment@v6 + with: + python-version: "(( minimum_python_version ))" + poetry-version: "(( dependency_manager_version ))" + + - name: Audit Dependencies + id: audit-dependencies + run: poetry run -- nox -s dependency:audit + + - name: Update Dependencies + id: update-dependencies + run: poetry update + + - name: Check for poetry.lock Changes + id: check-for-poetry-lock-changes + run: | + if git diff --quiet -- poetry.lock; then + echo "changed=false" >> "$GITHUB_OUTPUT" + else + echo "changed=true" >> "$GITHUB_OUTPUT" + fi + + - name: Create Pull Request + id: create-pull-request + if: steps.check-for-poetry-lock-changes.outputs.changed == 'true' + uses: peter-evans/create-pull-request@v7 + with: + commit-message: "Update poetry.lock" + branch: dependency-update/poetry-lock + delete-branch: true + title: "Update poetry.lock" + body: | + Automated dependency update for `poetry.lock`. + + This PR was created by the dependency update workflow after running: + - `poetry run -- nox -s dependency:audit` + - `poetry update` diff --git a/test/integration/tools/workflow_integration_test.py b/test/integration/tools/workflow_integration_test.py index cf85d01208..21f5eb100b 100644 --- a/test/integration/tools/workflow_integration_test.py +++ b/test/integration/tools/workflow_integration_test.py @@ -18,6 +18,7 @@ def test_with_default(cli_runner): "check-release-tag\n" "checks\n" "ci\n" + "dependency-update\n" "gh-pages\n" "matrix-all\n" "matrix-exasol\n" @@ -33,14 +34,20 @@ def test_with_columns(cli_runner): result = cli_runner.invoke(CLI, ["list", "--columns"]) assert result.exit_code == 0 - assert result.output == ( - "build-and-publish cd check-release-tag checks ci " - "gh-pages\n" - "matrix-all matrix-exasol matrix-python merge-gate pr-merge " - "report \n" - "slow-checks \n" - ) - + assert "build-and-publish" in result.output + assert "cd" in result.output + assert "check-release-tag" in result.output + assert "checks" in result.output + assert "ci" in result.output + assert "dependency-update" in result.output + assert "gh-pages" in result.output + assert "matrix-all" in result.output + assert "matrix-exasol" in result.output + assert "matrix-python" in result.output + assert "merge-gate" in result.output + assert "pr-merge" in result.output + assert "report" in result.output + assert "slow-checks" in result.output def test_show_workflow(cli_runner): result = cli_runner.invoke(CLI, ["show", "checks"]) @@ -57,6 +64,7 @@ def test_show_workflow(cli_runner): "check-release-tag", "checks", "ci", + "dependency-update", "gh-pages", "matrix-all", "matrix-exasol", @@ -92,6 +100,7 @@ def test_all_workflows(cli_runner, tmp_path): "check-release-tag.yml", "checks.yml", "ci.yml", + "dependency-update.yml", "gh-pages.yml", "matrix-all.yml", "matrix-exasol.yml", From 67e8357c4484441debadc2cf5297ebdce964c207 Mon Sep 17 00:00:00 2001 From: Rimsha Masood Date: Mon, 13 Apr 2026 15:24:23 +0200 Subject: [PATCH 02/12] Add dependency-update workflow template and update tests --- .../github/workflows/dependency-update.yml | 73 ++++++++++++++----- test/integration/project-template/nox_test.py | 2 +- .../tools/workflow_integration_test.py | 1 + test/unit/nox/_workflow_test.py | 2 +- test/unit/tool_template_test.py | 3 + test/unit/util/workflows/templates_test.py | 1 + 6 files changed, 62 insertions(+), 20 deletions(-) diff --git a/exasol/toolbox/templates/github/workflows/dependency-update.yml b/exasol/toolbox/templates/github/workflows/dependency-update.yml index 45f5a145f2..45244b37eb 100644 --- a/exasol/toolbox/templates/github/workflows/dependency-update.yml +++ b/exasol/toolbox/templates/github/workflows/dependency-update.yml @@ -5,11 +5,12 @@ on: # Every Monday at 03:00 UTC - cron: "0 3 * * 1" workflow_dispatch: + workflow_call: jobs: dependency-update: name: Dependency Update - runs-on: "(( os_version ))" + runs-on: "ubuntu-24.04" permissions: contents: write pull-requests: write @@ -18,24 +19,33 @@ jobs: - name: Check out Repository id: check-out-repository uses: actions/checkout@v6 + with: + fetch-depth: 0 - name: Set up Python & Poetry Environment id: set-up-python-and-poetry-environment uses: exasol/python-toolbox/.github/actions/python-environment@v6 with: - python-version: "(( minimum_python_version ))" - poetry-version: "(( dependency_manager_version ))" + python-version: "3.10" + poetry-version: "2.3.0" - name: Audit Dependencies id: audit-dependencies - run: poetry run -- nox -s dependency:audit + shell: bash + run: | + poetry run -- nox -s dependency:audit | tee vulnerabilities.json + LENGTH=$(jq 'length' vulnerabilities.json) + echo "count=$LENGTH" >> "$GITHUB_OUTPUT" - name: Update Dependencies id: update-dependencies + if: steps.audit-dependencies.outputs.count > 0 run: poetry update - name: Check for poetry.lock Changes id: check-for-poetry-lock-changes + if: steps.audit-dependencies.outputs.count > 0 + shell: bash run: | if git diff --quiet -- poetry.lock; then echo "changed=false" >> "$GITHUB_OUTPUT" @@ -43,18 +53,45 @@ jobs: echo "changed=true" >> "$GITHUB_OUTPUT" fi - - name: Create Pull Request - id: create-pull-request + - name: Configure git + id: configure-git if: steps.check-for-poetry-lock-changes.outputs.changed == 'true' - uses: peter-evans/create-pull-request@v7 - with: - commit-message: "Update poetry.lock" - branch: dependency-update/poetry-lock - delete-branch: true - title: "Update poetry.lock" - body: | - Automated dependency update for `poetry.lock`. - - This PR was created by the dependency update workflow after running: - - `poetry run -- nox -s dependency:audit` - - `poetry update` + shell: bash + run: | + git config --global user.email "opensource@exasol.com" + git config --global user.name "Automatic Dependency Updater" + + - name: Create branch + id: create-branch + if: steps.check-for-poetry-lock-changes.outputs.changed == 'true' && github.ref == 'refs/heads/main' + shell: bash + run: | + branch_name="dependency-update/poetry-lock" + echo "Creating branch $branch_name" + git checkout -b "$branch_name" + + - name: Commit changes & push + id: publish-branch + if: steps.check-for-poetry-lock-changes.outputs.changed == 'true' && startsWith(github.ref, 'refs/heads/') + shell: bash + run: | + branch_name=$(git rev-parse --abbrev-ref HEAD) + git add poetry.lock + git commit --message "Update poetry.lock" + git push --set-upstream origin "$branch_name" + + - name: Create pull request + id: create-pr + if: steps.check-for-poetry-lock-changes.outputs.changed == 'true' && github.ref == 'refs/heads/main' + env: + GH_TOKEN: ${{ github.token }} + shell: bash + run: | + gh pr create \ + --base main \ + --title "Update poetry.lock" \ + --body "Automated dependency update for \`poetry.lock\`. + + This PR was created by the dependency update workflow after running: + - \`poetry run -- nox -s dependency:audit\` + - \`poetry update\`" diff --git a/test/integration/project-template/nox_test.py b/test/integration/project-template/nox_test.py index cc5767ad91..33c2397121 100644 --- a/test/integration/project-template/nox_test.py +++ b/test/integration/project-template/nox_test.py @@ -76,4 +76,4 @@ def test_install_github_workflows(self, poetry_path, run_command): assert output.returncode == 0 file_list = run_command(["ls", ".github/workflows"]).stdout.splitlines() - assert len(file_list) == 13 + assert len(file_list) == 14 diff --git a/test/integration/tools/workflow_integration_test.py b/test/integration/tools/workflow_integration_test.py index 21f5eb100b..4f8cbed7f1 100644 --- a/test/integration/tools/workflow_integration_test.py +++ b/test/integration/tools/workflow_integration_test.py @@ -49,6 +49,7 @@ def test_with_columns(cli_runner): assert "report" in result.output assert "slow-checks" in result.output + def test_show_workflow(cli_runner): result = cli_runner.invoke(CLI, ["show", "checks"]) diff --git a/test/unit/nox/_workflow_test.py b/test/unit/nox/_workflow_test.py index c4a048719c..a0654c93dd 100644 --- a/test/unit/nox/_workflow_test.py +++ b/test/unit/nox/_workflow_test.py @@ -35,7 +35,7 @@ class TestGenerateWorkflow: @staticmethod @pytest.mark.parametrize( "nox_session_runner_posargs, expected_count", - [(ALL, 13), *[(key, 1) for key in WORKFLOW_TEMPLATE_OPTIONS.keys()]], + [(ALL, 14), *[(key, 1) for key in WORKFLOW_TEMPLATE_OPTIONS.keys()]], indirect=["nox_session_runner_posargs"], ) def test_works_as_expected( diff --git a/test/unit/tool_template_test.py b/test/unit/tool_template_test.py index 74734877d3..d60c24a3d9 100644 --- a/test/unit/tool_template_test.py +++ b/test/unit/tool_template_test.py @@ -11,6 +11,7 @@ def test_retrieve_workflow_templates(): "check-release-tag": "check-release-tag.yml", "checks": "checks.yml", "ci": "ci.yml", + "dependency-update": "dependency-update.yml", "gh-pages": "gh-pages.yml", "matrix-all": "matrix-all.yml", "matrix-exasol": "matrix-exasol.yml", @@ -51,6 +52,7 @@ def test_retrieve_issue_templates(): "check-release-tag": "check-release-tag.yml", "checks": "checks.yml", "ci": "ci.yml", + "dependency-update": "dependency-update.yml", "gh-pages": "gh-pages.yml", "matrix-all": "matrix-all.yml", "matrix-exasol": "matrix-exasol.yml", @@ -106,6 +108,7 @@ def test_retrieve_templates(subpackage, expected): "check-release-tag.yml", "checks.yml", "ci.yml", + "dependency-update.yml", "gh-pages.yml", "matrix-all.yml", "matrix-exasol.yml", diff --git a/test/unit/util/workflows/templates_test.py b/test/unit/util/workflows/templates_test.py index 994777e261..241796bf39 100644 --- a/test/unit/util/workflows/templates_test.py +++ b/test/unit/util/workflows/templates_test.py @@ -11,6 +11,7 @@ def test_get_workflow_templates(project_config): "check-release-tag", "checks", "ci", + "dependency-update", "gh-pages", "matrix-all", "matrix-exasol", From c9c53e6e8d1ff57ce6ba59b54cb7d364b234addd Mon Sep 17 00:00:00 2001 From: Rimsha Masood Date: Tue, 14 Apr 2026 16:19:03 +0200 Subject: [PATCH 03/12] Apply review feedback for dependency update workflow --- .github/workflows/dependency-update.yml | 63 ++++++++++++++----- doc/github_actions/dependency_update.rst | 14 ----- doc/github_actions/github_actions.rst | 1 - .../features/github_workflows/index.rst | 14 +++++ .../github/workflows/dependency-update.yml | 19 +++--- 5 files changed, 69 insertions(+), 42 deletions(-) delete mode 100644 doc/github_actions/dependency_update.rst diff --git a/.github/workflows/dependency-update.yml b/.github/workflows/dependency-update.yml index 69b7a1dff1..a485ae9eb7 100644 --- a/.github/workflows/dependency-update.yml +++ b/.github/workflows/dependency-update.yml @@ -5,6 +5,7 @@ on: # Every Monday at 03:00 UTC - cron: "0 3 * * 1" workflow_dispatch: + workflow_call: jobs: dependency-update: @@ -18,6 +19,8 @@ jobs: - name: Check out Repository id: check-out-repository uses: actions/checkout@v6 + with: + fetch-depth: 0 - name: Set up Python & Poetry Environment id: set-up-python-and-poetry-environment @@ -28,14 +31,19 @@ jobs: - name: Audit Dependencies id: audit-dependencies - run: poetry run -- nox -s dependency:audit + run: | + poetry run -- nox -s dependency:audit | tee vulnerabilities.json + LENGTH=$(jq 'length' vulnerabilities.json) + echo "count=$LENGTH" >> "$GITHUB_OUTPUT" - name: Update Dependencies id: update-dependencies + if: steps.audit-dependencies.outputs.count > 0 run: poetry update - name: Check for poetry.lock Changes id: check-for-poetry-lock-changes + if: steps.audit-dependencies.outputs.count > 0 run: | if git diff --quiet -- poetry.lock; then echo "changed=false" >> "$GITHUB_OUTPUT" @@ -43,18 +51,43 @@ jobs: echo "changed=true" >> "$GITHUB_OUTPUT" fi - - name: Create Pull Request - id: create-pull-request + - name: Configure git + id: configure-git if: steps.check-for-poetry-lock-changes.outputs.changed == 'true' - uses: peter-evans/create-pull-request@v7 - with: - commit-message: "Update poetry.lock" - branch: dependency-update/poetry-lock - delete-branch: true - title: "Update poetry.lock" - body: |- - Automated dependency update for `poetry.lock`. - - This PR was created by the dependency update workflow after running: - - `poetry run -- nox -s dependency:audit` - - `poetry update` + run: | + git config --global user.email "opensource@exasol.com" + git config --global user.name "Automatic Dependency Updater" + + - name: Create branch + id: create-branch + if: steps.check-for-poetry-lock-changes.outputs.changed == 'true' && github.ref == 'refs/heads/main' + run: | + branch_name="dependency-update/$(date "+%Y%m%d%H%M%S")" + echo "Creating branch $branch_name" + git checkout -b "$branch_name" + + - name: Commit changes & push + id: publish-branch + if: steps.check-for-poetry-lock-changes.outputs.changed == 'true' && startsWith(github.ref, 'refs/heads/') + run: | + branch_name=$(git rev-parse --abbrev-ref HEAD) + git add poetry.lock + git commit --message "Update poetry.lock" + git push --set-upstream origin "$branch_name" + + - name: Create pull request + id: create-pr + if: steps.check-for-poetry-lock-changes.outputs.changed == 'true' && github.ref == 'refs/heads/main' + env: + GH_TOKEN: ${{ github.token }} + run: |- + BASE_BRANCH=$(gh repo view --json defaultBranchRef -q .defaultBranchRef.name) + + gh pr create \ + --base "$BASE_BRANCH" \ + --title "Update poetry.lock" \ + --body "Automated dependency update for \`poetry.lock\`. + + This PR was created by the dependency update workflow after running: + - \`poetry run -- nox -s dependency:audit\` + - \`poetry update\`" diff --git a/doc/github_actions/dependency_update.rst b/doc/github_actions/dependency_update.rst deleted file mode 100644 index 807ffeefdd..0000000000 --- a/doc/github_actions/dependency_update.rst +++ /dev/null @@ -1,14 +0,0 @@ -dependency-update -================= - -This workflow updates the project dependencies using Poetry. - -It first runs a dependency audit via ``nox -s dependency:audit`` and then updates the dependencies using ``poetry update``. -If the ``poetry.lock`` file changes, a pull request is created automatically. - -Example Usage -------------- - -.. code-block:: bash - - tbx workflow install dependency-update \ No newline at end of file diff --git a/doc/github_actions/github_actions.rst b/doc/github_actions/github_actions.rst index d9798ac602..e9139e8869 100644 --- a/doc/github_actions/github_actions.rst +++ b/doc/github_actions/github_actions.rst @@ -8,4 +8,3 @@ python_environment security_issues - dependency_update diff --git a/doc/user_guide/features/github_workflows/index.rst b/doc/user_guide/features/github_workflows/index.rst index 6b6e8f7fc6..b465c9610d 100644 --- a/doc/user_guide/features/github_workflows/index.rst +++ b/doc/user_guide/features/github_workflows/index.rst @@ -61,6 +61,9 @@ Workflows - Pull request and monthly - Executes the continuous integration suite by calling ``merge-gate.yml`` and ``report.yml``. See :ref:`ci_yml` for a graph of workflow calls. + * - ``dependency-update.yml`` + - Weekly and manual + - Audits project dependencies for known vulnerabilities, updates them with Poetry when needed, and creates a pull request if ``poetry.lock`` changes. * - ``gh-pages.yml`` - Workflow call - Builds the documentation and deploys it to GitHub Pages. @@ -99,6 +102,17 @@ Workflows CI Actions ---------- +Dependency Update +^^^^^^^^^^^^^^^^^ + +The ``dependency-update.yml`` workflow helps keep project dependencies up to date. + +It can be triggered manually and is also scheduled to run weekly. + +The workflow first audits dependencies for known vulnerabilities. If vulnerabilities +are detected, it updates the dependencies using Poetry. When ``poetry.lock`` changes, +it creates a pull request with the update. + .. _ci_yml: Pull Request diff --git a/exasol/toolbox/templates/github/workflows/dependency-update.yml b/exasol/toolbox/templates/github/workflows/dependency-update.yml index 45244b37eb..bd935cf4ba 100644 --- a/exasol/toolbox/templates/github/workflows/dependency-update.yml +++ b/exasol/toolbox/templates/github/workflows/dependency-update.yml @@ -5,12 +5,11 @@ on: # Every Monday at 03:00 UTC - cron: "0 3 * * 1" workflow_dispatch: - workflow_call: jobs: dependency-update: name: Dependency Update - runs-on: "ubuntu-24.04" + runs-on: "(( os_version ))" permissions: contents: write pull-requests: write @@ -26,12 +25,11 @@ jobs: id: set-up-python-and-poetry-environment uses: exasol/python-toolbox/.github/actions/python-environment@v6 with: - python-version: "3.10" - poetry-version: "2.3.0" + python-version: "(( minimum_python_version ))" + poetry-version: "(( dependency_manager_version ))" - name: Audit Dependencies id: audit-dependencies - shell: bash run: | poetry run -- nox -s dependency:audit | tee vulnerabilities.json LENGTH=$(jq 'length' vulnerabilities.json) @@ -45,7 +43,6 @@ jobs: - name: Check for poetry.lock Changes id: check-for-poetry-lock-changes if: steps.audit-dependencies.outputs.count > 0 - shell: bash run: | if git diff --quiet -- poetry.lock; then echo "changed=false" >> "$GITHUB_OUTPUT" @@ -56,7 +53,6 @@ jobs: - name: Configure git id: configure-git if: steps.check-for-poetry-lock-changes.outputs.changed == 'true' - shell: bash run: | git config --global user.email "opensource@exasol.com" git config --global user.name "Automatic Dependency Updater" @@ -64,16 +60,14 @@ jobs: - name: Create branch id: create-branch if: steps.check-for-poetry-lock-changes.outputs.changed == 'true' && github.ref == 'refs/heads/main' - shell: bash run: | - branch_name="dependency-update/poetry-lock" + branch_name="dependency-update/$(date "+%Y%m%d%H%M%S")" echo "Creating branch $branch_name" git checkout -b "$branch_name" - name: Commit changes & push id: publish-branch if: steps.check-for-poetry-lock-changes.outputs.changed == 'true' && startsWith(github.ref, 'refs/heads/') - shell: bash run: | branch_name=$(git rev-parse --abbrev-ref HEAD) git add poetry.lock @@ -85,10 +79,11 @@ jobs: if: steps.check-for-poetry-lock-changes.outputs.changed == 'true' && github.ref == 'refs/heads/main' env: GH_TOKEN: ${{ github.token }} - shell: bash run: | + BASE_BRANCH=$(gh repo view --json defaultBranchRef -q .defaultBranchRef.name) + gh pr create \ - --base main \ + --base "$BASE_BRANCH" \ --title "Update poetry.lock" \ --body "Automated dependency update for \`poetry.lock\`. From cea77fd6af2bb0927d9bc1ce3bb08f6c70fe189d Mon Sep 17 00:00:00 2001 From: Rimsha Masood Date: Mon, 20 Apr 2026 11:49:11 +0200 Subject: [PATCH 04/12] Improve dependency update workflow, tests, and docs --- .../features/github_workflows/index.rst | 8 ++--- .../github/workflows/dependency-update.yml | 18 +++++++--- .../tools/workflow_integration_test.py | 36 +++++++++++-------- 3 files changed, 39 insertions(+), 23 deletions(-) diff --git a/doc/user_guide/features/github_workflows/index.rst b/doc/user_guide/features/github_workflows/index.rst index aaa8431b07..95ecb3612b 100644 --- a/doc/user_guide/features/github_workflows/index.rst +++ b/doc/user_guide/features/github_workflows/index.rst @@ -63,7 +63,7 @@ Workflows ``report.yml``. See :ref:`ci_yml` for a graph of workflow calls. * - ``dependency-update.yml`` - Weekly and manual - - Audits project dependencies for known vulnerabilities, updates them with Poetry when needed, and creates a pull request if ``poetry.lock`` changes. + - Audits project dependencies for known vulnerabilities, updates them with Poetry when needed, and creates a pull request if the ``poetry.lock`` was changed. * - ``gh-pages.yml`` - Workflow call - Builds the documentation and deploys it to GitHub Pages. @@ -105,13 +105,13 @@ CI Actions Dependency Update ^^^^^^^^^^^^^^^^^ -The ``dependency-update.yml`` workflow helps keep project dependencies up to date. +The ``dependency-update.yml`` workflow is used to resolve vulnerabilities by updating our project dependencies. It can be triggered manually and is also scheduled to run weekly. The workflow first audits dependencies for known vulnerabilities. If vulnerabilities -are detected, it updates the dependencies using Poetry. When ``poetry.lock`` changes, -it creates a pull request with the update. +are detected, it updates the dependencies using Poetry. When the ``poetry.lock`` is changed, +then it creates a pull request with the update. .. _ci_yml: diff --git a/exasol/toolbox/templates/github/workflows/dependency-update.yml b/exasol/toolbox/templates/github/workflows/dependency-update.yml index bd935cf4ba..7acca3b228 100644 --- a/exasol/toolbox/templates/github/workflows/dependency-update.yml +++ b/exasol/toolbox/templates/github/workflows/dependency-update.yml @@ -21,6 +21,14 @@ jobs: with: fetch-depth: 0 + - name: Fail if not running on the default branch + id: check-branch + if: github.ref != format('refs/heads/{0}', github.event.repository.default_branch) + uses: actions/github-script@v8 + with: + script: | + core.setFailed('Not running on the default branch. github.ref is ${{ github.ref }}') + - name: Set up Python & Poetry Environment id: set-up-python-and-poetry-environment uses: exasol/python-toolbox/.github/actions/python-environment@v6 @@ -59,15 +67,15 @@ jobs: - name: Create branch id: create-branch - if: steps.check-for-poetry-lock-changes.outputs.changed == 'true' && github.ref == 'refs/heads/main' + if: steps.check-for-poetry-lock-changes.outputs.changed == 'true' run: | branch_name="dependency-update/$(date "+%Y%m%d%H%M%S")" echo "Creating branch $branch_name" - git checkout -b "$branch_name" + git switch -C "$branch_name" - name: Commit changes & push id: publish-branch - if: steps.check-for-poetry-lock-changes.outputs.changed == 'true' && startsWith(github.ref, 'refs/heads/') + if: steps.check-for-poetry-lock-changes.outputs.changed == 'true' run: | branch_name=$(git rev-parse --abbrev-ref HEAD) git add poetry.lock @@ -76,7 +84,7 @@ jobs: - name: Create pull request id: create-pr - if: steps.check-for-poetry-lock-changes.outputs.changed == 'true' && github.ref == 'refs/heads/main' + if: steps.check-for-poetry-lock-changes.outputs.changed == 'true' env: GH_TOKEN: ${{ github.token }} run: | @@ -84,7 +92,7 @@ jobs: gh pr create \ --base "$BASE_BRANCH" \ - --title "Update poetry.lock" \ + --title "Update dependencies to fix vulnerabilities ($(date '+%Y-%m-%d'))" \ --body "Automated dependency update for \`poetry.lock\`. This PR was created by the dependency update workflow after running: diff --git a/test/integration/tools/workflow_integration_test.py b/test/integration/tools/workflow_integration_test.py index 4f8cbed7f1..cc5707e366 100644 --- a/test/integration/tools/workflow_integration_test.py +++ b/test/integration/tools/workflow_integration_test.py @@ -34,20 +34,28 @@ def test_with_columns(cli_runner): result = cli_runner.invoke(CLI, ["list", "--columns"]) assert result.exit_code == 0 - assert "build-and-publish" in result.output - assert "cd" in result.output - assert "check-release-tag" in result.output - assert "checks" in result.output - assert "ci" in result.output - assert "dependency-update" in result.output - assert "gh-pages" in result.output - assert "matrix-all" in result.output - assert "matrix-exasol" in result.output - assert "matrix-python" in result.output - assert "merge-gate" in result.output - assert "pr-merge" in result.output - assert "report" in result.output - assert "slow-checks" in result.output + + expected_substrings = """ + build-and-publish + cd + check-release-tag + checks + ci + dependency-update + gh-pages + matrix-all + matrix-exasol + matrix-python + merge-gate + pr-merge + report + slow-checks + """ + + actual = set(result.output.split()) + expected = set(expected_substrings.split()) + + assert expected.issubset(actual) def test_show_workflow(cli_runner): From 49145b9451436b6cb5a347db59e0be911627cee2 Mon Sep 17 00:00:00 2001 From: Ariel Schulz Date: Wed, 29 Apr 2026 13:06:14 +0200 Subject: [PATCH 05/12] Fix release:prepare test --- exasol/toolbox/util/dependencies/audit.py | 2 +- test/unit/util/dependencies/audit_test.py | 8 +++++++- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/exasol/toolbox/util/dependencies/audit.py b/exasol/toolbox/util/dependencies/audit.py index 7a18cc3e7c..5d31b3bf98 100644 --- a/exasol/toolbox/util/dependencies/audit.py +++ b/exasol/toolbox/util/dependencies/audit.py @@ -260,7 +260,7 @@ def load_from_pip_audit(cls, working_directory: Path) -> Vulnerabilities: vulnerabilities = [] for entry in audit_dict["dependencies"]: - for vuln_entry in entry["vulns"]: + for vuln_entry in entry.get("vulns", []): vulnerabilities.append( Vulnerability.from_audit_entry( package_name=entry["name"], diff --git a/test/unit/util/dependencies/audit_test.py b/test/unit/util/dependencies/audit_test.py index cc414b0d23..d34bc88f1c 100644 --- a/test/unit/util/dependencies/audit_test.py +++ b/test/unit/util/dependencies/audit_test.py @@ -240,7 +240,13 @@ class TestVulnerabilities: @staticmethod def test_with_no_vulnerabilities(): pip_audit_dict = { - "dependencies": [{"name": "alabaster", "version": "0.7.16", "vulns": []}] + "dependencies": [ + { + "name": "exasol-toolbox", + "skip_reason": "Dependency not found on PyPI and could not be audited: exasol-toolbox (7.0.0)", + }, + {"name": "alabaster", "version": "0.7.16", "vulns": []}, + ] } pip_audit_json = json.dumps(pip_audit_dict) From bf382434cfe950a74dd3329dbd6655a8801c7034 Mon Sep 17 00:00:00 2001 From: Ariel Schulz Date: Wed, 29 Apr 2026 13:22:02 +0200 Subject: [PATCH 06/12] Update PTB workflows to 7.0.0 --- .github/workflows/build-and-publish.yml | 2 +- .github/workflows/check-release-tag.yml | 2 +- .github/workflows/checks.yml | 16 ++++++++-------- .github/workflows/dependency-update.yml | 19 +++++++++++++------ .github/workflows/gh-pages.yml | 2 +- .github/workflows/matrix-all.yml | 2 +- .github/workflows/matrix-exasol.yml | 2 +- .github/workflows/matrix-python.yml | 2 +- .github/workflows/report.yml | 2 +- .github/workflows/slow-checks.yml | 2 +- 10 files changed, 29 insertions(+), 22 deletions(-) diff --git a/.github/workflows/build-and-publish.yml b/.github/workflows/build-and-publish.yml index 9ba56f8d6f..867d79c9b6 100644 --- a/.github/workflows/build-and-publish.yml +++ b/.github/workflows/build-and-publish.yml @@ -19,7 +19,7 @@ jobs: - name: Set up Python & Poetry Environment id: set-up-python-and-poetry-environment - uses: exasol/python-toolbox/.github/actions/python-environment@v6 + uses: exasol/python-toolbox/.github/actions/python-environment@v7 with: python-version: "3.10" poetry-version: "2.3.0" diff --git a/.github/workflows/check-release-tag.yml b/.github/workflows/check-release-tag.yml index 5423c11a4f..f099fa94ee 100644 --- a/.github/workflows/check-release-tag.yml +++ b/.github/workflows/check-release-tag.yml @@ -17,7 +17,7 @@ jobs: - name: Set up Python & Poetry Environment id: set-up-python-and-poetry-environment - uses: exasol/python-toolbox/.github/actions/python-environment@v6 + uses: exasol/python-toolbox/.github/actions/python-environment@v7 with: python-version: "3.10" poetry-version: "2.3.0" diff --git a/.github/workflows/checks.yml b/.github/workflows/checks.yml index a258fef3ac..064a7fca55 100644 --- a/.github/workflows/checks.yml +++ b/.github/workflows/checks.yml @@ -16,7 +16,7 @@ jobs: - name: Set up Python & Poetry Environment id: set-up-python-and-poetry-environment - uses: exasol/python-toolbox/.github/actions/python-environment@v6 + uses: exasol/python-toolbox/.github/actions/python-environment@v7 with: python-version: "3.10" poetry-version: "2.3.0" @@ -42,7 +42,7 @@ jobs: - name: Set up Python & Poetry Environment id: set-up-python-and-poetry-environment - uses: exasol/python-toolbox/.github/actions/python-environment@v6 + uses: exasol/python-toolbox/.github/actions/python-environment@v7 with: python-version: "3.10" poetry-version: "2.3.0" @@ -67,7 +67,7 @@ jobs: - name: Set up Python & Poetry Environment id: set-up-python-and-poetry-environment - uses: exasol/python-toolbox/.github/actions/python-environment@v6 + uses: exasol/python-toolbox/.github/actions/python-environment@v7 with: python-version: ${{ matrix.python-versions }} poetry-version: "2.3.0" @@ -102,7 +102,7 @@ jobs: - name: Set up Python & Poetry Environment id: set-up-python-and-poetry-environment - uses: exasol/python-toolbox/.github/actions/python-environment@v6 + uses: exasol/python-toolbox/.github/actions/python-environment@v7 with: python-version: ${{ matrix.python-versions }} poetry-version: "2.3.0" @@ -128,7 +128,7 @@ jobs: - name: Set up Python & Poetry Environment id: set-up-python-and-poetry-environment - uses: exasol/python-toolbox/.github/actions/python-environment@v6 + uses: exasol/python-toolbox/.github/actions/python-environment@v7 with: python-version: ${{ matrix.python-versions }} poetry-version: "2.3.0" @@ -157,7 +157,7 @@ jobs: - name: Set up Python & Poetry Environment id: set-up-python-and-poetry-environment - uses: exasol/python-toolbox/.github/actions/python-environment@v6 + uses: exasol/python-toolbox/.github/actions/python-environment@v7 with: python-version: "3.10" poetry-version: "2.3.0" @@ -179,7 +179,7 @@ jobs: - name: Set up Python & Poetry Environment id: set-up-python-and-poetry-environment - uses: exasol/python-toolbox/.github/actions/python-environment@v6 + uses: exasol/python-toolbox/.github/actions/python-environment@v7 with: python-version: "3.10" poetry-version: "2.3.0" @@ -227,7 +227,7 @@ jobs: fetch-depth: 0 - name: Set up Python & Poetry Environment id: set-up-python-and-poetry-environment - uses: exasol/python-toolbox/.github/actions/python-environment@v6 + uses: exasol/python-toolbox/.github/actions/python-environment@v7 with: python-version: ${{ matrix.python-versions }} poetry-version: "2.3.0" diff --git a/.github/workflows/dependency-update.yml b/.github/workflows/dependency-update.yml index a485ae9eb7..b2b4fb940e 100644 --- a/.github/workflows/dependency-update.yml +++ b/.github/workflows/dependency-update.yml @@ -5,7 +5,6 @@ on: # Every Monday at 03:00 UTC - cron: "0 3 * * 1" workflow_dispatch: - workflow_call: jobs: dependency-update: @@ -22,6 +21,14 @@ jobs: with: fetch-depth: 0 + - name: Fail if not running on the default branch + id: check-branch + if: github.ref != format('refs/heads/{0}', github.event.repository.default_branch) + uses: actions/github-script@v8 + with: + script: | + core.setFailed('Not running on the default branch. github.ref is ${{ github.ref }}') + - name: Set up Python & Poetry Environment id: set-up-python-and-poetry-environment uses: exasol/python-toolbox/.github/actions/python-environment@v6 @@ -60,15 +67,15 @@ jobs: - name: Create branch id: create-branch - if: steps.check-for-poetry-lock-changes.outputs.changed == 'true' && github.ref == 'refs/heads/main' + if: steps.check-for-poetry-lock-changes.outputs.changed == 'true' run: | branch_name="dependency-update/$(date "+%Y%m%d%H%M%S")" echo "Creating branch $branch_name" - git checkout -b "$branch_name" + git switch -C "$branch_name" - name: Commit changes & push id: publish-branch - if: steps.check-for-poetry-lock-changes.outputs.changed == 'true' && startsWith(github.ref, 'refs/heads/') + if: steps.check-for-poetry-lock-changes.outputs.changed == 'true' run: | branch_name=$(git rev-parse --abbrev-ref HEAD) git add poetry.lock @@ -77,7 +84,7 @@ jobs: - name: Create pull request id: create-pr - if: steps.check-for-poetry-lock-changes.outputs.changed == 'true' && github.ref == 'refs/heads/main' + if: steps.check-for-poetry-lock-changes.outputs.changed == 'true' env: GH_TOKEN: ${{ github.token }} run: |- @@ -85,7 +92,7 @@ jobs: gh pr create \ --base "$BASE_BRANCH" \ - --title "Update poetry.lock" \ + --title "Update dependencies to fix vulnerabilities ($(date '+%Y-%m-%d'))" \ --body "Automated dependency update for \`poetry.lock\`. This PR was created by the dependency update workflow after running: diff --git a/.github/workflows/gh-pages.yml b/.github/workflows/gh-pages.yml index 147d0453a8..73c74dc99f 100644 --- a/.github/workflows/gh-pages.yml +++ b/.github/workflows/gh-pages.yml @@ -19,7 +19,7 @@ jobs: - name: Set up Python & Poetry Environment id: set-up-python-and-poetry-environment - uses: exasol/python-toolbox/.github/actions/python-environment@v6 + uses: exasol/python-toolbox/.github/actions/python-environment@v7 with: python-version: "3.10" poetry-version: "2.3.0" diff --git a/.github/workflows/matrix-all.yml b/.github/workflows/matrix-all.yml index 69a5aa4b4f..558f5ef672 100644 --- a/.github/workflows/matrix-all.yml +++ b/.github/workflows/matrix-all.yml @@ -19,7 +19,7 @@ jobs: - name: Set up Python & Poetry Environment id: set-up-python-and-poetry-environment - uses: exasol/python-toolbox/.github/actions/python-environment@v6 + uses: exasol/python-toolbox/.github/actions/python-environment@v7 with: python-version: "3.10" poetry-version: "2.3.0" diff --git a/.github/workflows/matrix-exasol.yml b/.github/workflows/matrix-exasol.yml index 44b5cfd985..a64b88c3f6 100644 --- a/.github/workflows/matrix-exasol.yml +++ b/.github/workflows/matrix-exasol.yml @@ -19,7 +19,7 @@ jobs: - name: Set up Python & Poetry Environment id: set-up-python-and-poetry-environment - uses: exasol/python-toolbox/.github/actions/python-environment@v6 + uses: exasol/python-toolbox/.github/actions/python-environment@v7 with: python-version: "3.10" poetry-version: "2.3.0" diff --git a/.github/workflows/matrix-python.yml b/.github/workflows/matrix-python.yml index 328799b6c9..e68fd4d1e7 100644 --- a/.github/workflows/matrix-python.yml +++ b/.github/workflows/matrix-python.yml @@ -19,7 +19,7 @@ jobs: - name: Set up Python & Poetry Environment id: set-up-python-and-poetry-environment - uses: exasol/python-toolbox/.github/actions/python-environment@v6 + uses: exasol/python-toolbox/.github/actions/python-environment@v7 with: python-version: "3.10" poetry-version: "2.3.0" diff --git a/.github/workflows/report.yml b/.github/workflows/report.yml index 8790ca1ab2..7612aeba7e 100644 --- a/.github/workflows/report.yml +++ b/.github/workflows/report.yml @@ -20,7 +20,7 @@ jobs: - name: Set up Python & Poetry Environment id: set-up-python-and-poetry-environment - uses: exasol/python-toolbox/.github/actions/python-environment@v6 + uses: exasol/python-toolbox/.github/actions/python-environment@v7 with: python-version: "3.10" poetry-version: "2.3.0" diff --git a/.github/workflows/slow-checks.yml b/.github/workflows/slow-checks.yml index 8f1b55e42e..46ed19863c 100644 --- a/.github/workflows/slow-checks.yml +++ b/.github/workflows/slow-checks.yml @@ -29,7 +29,7 @@ jobs: - name: Set up Python & Poetry Environment id: set-up-python-and-poetry-environment - uses: exasol/python-toolbox/.github/actions/python-environment@v6 + uses: exasol/python-toolbox/.github/actions/python-environment@v7 with: python-version: ${{ matrix.python-version }} poetry-version: "2.3.0" From a429916498c294f268ea087de034419e154d0d21 Mon Sep 17 00:00:00 2001 From: Rimsha Masood Date: Mon, 4 May 2026 10:21:13 +0200 Subject: [PATCH 07/12] Testing with CI Yaml --- .github/workflows/ci.yml | 7 +++++++ .github/workflows/dependency-update.yml | 1 + 2 files changed, 8 insertions(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 104045ade7..22adc3c7fb 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -17,6 +17,13 @@ jobs: permissions: contents: read + dependency-update: + name: Dependency Update + uses: ./.github/workflows/dependency-update.yml + permissions: + contents: write + pull-requests: write + report: # Job merge-gate requires manual approval for running the slow checks. If # current workflow ci.yml is triggered by schedule, there is no manual diff --git a/.github/workflows/dependency-update.yml b/.github/workflows/dependency-update.yml index b2b4fb940e..bdbed03f9c 100644 --- a/.github/workflows/dependency-update.yml +++ b/.github/workflows/dependency-update.yml @@ -5,6 +5,7 @@ on: # Every Monday at 03:00 UTC - cron: "0 3 * * 1" workflow_dispatch: + workflow_call: jobs: dependency-update: From da85895602ab384dc7c03d37194f4e382c4f4a79 Mon Sep 17 00:00:00 2001 From: Rimsha Masood Date: Mon, 4 May 2026 10:26:09 +0200 Subject: [PATCH 08/12] Remove default branch blocker --- .github/workflows/dependency-update.yml | 8 -------- 1 file changed, 8 deletions(-) diff --git a/.github/workflows/dependency-update.yml b/.github/workflows/dependency-update.yml index bdbed03f9c..25c1ef1266 100644 --- a/.github/workflows/dependency-update.yml +++ b/.github/workflows/dependency-update.yml @@ -22,14 +22,6 @@ jobs: with: fetch-depth: 0 - - name: Fail if not running on the default branch - id: check-branch - if: github.ref != format('refs/heads/{0}', github.event.repository.default_branch) - uses: actions/github-script@v8 - with: - script: | - core.setFailed('Not running on the default branch. github.ref is ${{ github.ref }}') - - name: Set up Python & Poetry Environment id: set-up-python-and-poetry-environment uses: exasol/python-toolbox/.github/actions/python-environment@v6 From 00ba0b976b0932113b0660eff396d66a0f0815a2 Mon Sep 17 00:00:00 2001 From: Rimsha Masood Date: Mon, 4 May 2026 10:31:23 +0200 Subject: [PATCH 09/12] Add vulnerabiltiy --- poetry.lock | 10 +++++----- pyproject.toml | 2 +- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/poetry.lock b/poetry.lock index 18b78aea2e..7ff3669306 100644 --- a/poetry.lock +++ b/poetry.lock @@ -1,4 +1,4 @@ -# This file is automatically @generated by Poetry 2.3.3 and should not be changed by hand. +# This file is automatically @generated by Poetry 2.3.2 and should not be changed by hand. [[package]] name = "accessible-pygments" @@ -2698,14 +2698,14 @@ tomli = ">=2.2.1,<3.0.0" [[package]] name = "pytest" -version = "9.0.3" +version = "9.0.0" description = "pytest: simple powerful testing with Python" optional = false python-versions = ">=3.10" groups = ["main"] files = [ - {file = "pytest-9.0.3-py3-none-any.whl", hash = "sha256:2c5efc453d45394fdd706ade797c0a81091eccd1d6e4bccfcd476e2b8e0ab5d9"}, - {file = "pytest-9.0.3.tar.gz", hash = "sha256:b86ada508af81d19edeb213c681b1d48246c1a91d304c6c81a427674c17eb91c"}, + {file = "pytest-9.0.0-py3-none-any.whl", hash = "sha256:e5ccdf10b0bac554970ee88fc1a4ad0ee5d221f8ef22321f9b7e4584e19d7f96"}, + {file = "pytest-9.0.0.tar.gz", hash = "sha256:8f44522eafe4137b0f35c9ce3072931a788a21ee40a2ed279e817d3cc16ed21e"}, ] [package.dependencies] @@ -4038,4 +4038,4 @@ type = ["pytest-mypy"] [metadata] lock-version = "2.1" python-versions = ">=3.10,<4.0" -content-hash = "3d5c07aeaab839a92ec06e66addd20d634864518ef66d76623d08d5eaae6817b" +content-hash = "d23e96a6f4ba0858d7603ea5d51e278252545d883c0a7d0577f1036f8cc4220a" diff --git a/pyproject.toml b/pyproject.toml index 516496220d..dbb6fd79f5 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -45,7 +45,7 @@ dependencies = [ "pydantic>=2.11.5,<3", "pylint>=2.15.4", "pysonar>=1.0.1.1548,<2", - "pytest>=7.2.2,<10", + "pytest==9.0.0", "pyupgrade>=2.38.2,<4.0.0", "ruamel-yaml (>=0.18.0,<=0.18.16)", "ruff>=0.14.5,<0.15", From 2f2e00d547c925179346d7733872805981644fcd Mon Sep 17 00:00:00 2001 From: Rimsha Masood Date: Mon, 4 May 2026 11:00:10 +0200 Subject: [PATCH 10/12] Add slack_hook --- .../github/workflows/dependency-update.yml | 17 ++++++++++++++--- 1 file changed, 14 insertions(+), 3 deletions(-) diff --git a/exasol/toolbox/templates/github/workflows/dependency-update.yml b/exasol/toolbox/templates/github/workflows/dependency-update.yml index 7acca3b228..de5d02ad17 100644 --- a/exasol/toolbox/templates/github/workflows/dependency-update.yml +++ b/exasol/toolbox/templates/github/workflows/dependency-update.yml @@ -90,11 +90,22 @@ jobs: run: | BASE_BRANCH=$(gh repo view --json defaultBranchRef -q .defaultBranchRef.name) - gh pr create \ + pr_url=$(gh pr create \ --base "$BASE_BRANCH" \ --title "Update dependencies to fix vulnerabilities ($(date '+%Y-%m-%d'))" \ - --body "Automated dependency update for \`poetry.lock\`. - + --body "Automated dependency update for \`poetry.lock\`.) + echo "pr_url=$pr_url" >> "$GITHUB_OUTPUT" This PR was created by the dependency update workflow after running: - \`poetry run -- nox -s dependency:audit\` - \`poetry update\`" + - name: Report new Pull Request to Slack channel + id: report-pr-slack + if: ${{ steps.create-pr.outputs.pr_url }} + uses: ravsamhq/notify-slack-action@v2 + with: + status: '${{ job.status }}', + token: '${{ secrets.GITHUB_TOKEN }}', + notification_title: 'Dependency update for {repo} created a Pull Request', + message_format: '{workflow} created Pull Request ${{ steps.create-pr.outputs.pr_url }}' + env: + SLACK_WEBHOOK_URL: '${{ secrets.INTEGRATION_TEAM_SECURITY_UPDATES_WEBHOOK }}' From 86de8ac764a8621cfeb7b288def3453fcec40760 Mon Sep 17 00:00:00 2001 From: Rimsha Masood Date: Mon, 4 May 2026 11:14:09 +0200 Subject: [PATCH 11/12] Add slack_hook --- .github/workflows/ci.yml | 1 + .github/workflows/dependency-update.yml | 19 +++++++++++++++---- .../github/workflows/dependency-update.yml | 6 +++--- 3 files changed, 19 insertions(+), 7 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 22adc3c7fb..444c919305 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -20,6 +20,7 @@ jobs: dependency-update: name: Dependency Update uses: ./.github/workflows/dependency-update.yml + secrets: inherit permissions: contents: write pull-requests: write diff --git a/.github/workflows/dependency-update.yml b/.github/workflows/dependency-update.yml index 25c1ef1266..4fb6d70ef9 100644 --- a/.github/workflows/dependency-update.yml +++ b/.github/workflows/dependency-update.yml @@ -80,14 +80,25 @@ jobs: if: steps.check-for-poetry-lock-changes.outputs.changed == 'true' env: GH_TOKEN: ${{ github.token }} - run: |- + run: | BASE_BRANCH=$(gh repo view --json defaultBranchRef -q .defaultBranchRef.name) - gh pr create \ + pr_url=$(gh pr create \ --base "$BASE_BRANCH" \ --title "Update dependencies to fix vulnerabilities ($(date '+%Y-%m-%d'))" \ - --body "Automated dependency update for \`poetry.lock\`. - + --body "Automated dependency update for \`poetry.lock\`.) + echo "pr_url=$pr_url" >> "$GITHUB_OUTPUT" This PR was created by the dependency update workflow after running: - \`poetry run -- nox -s dependency:audit\` - \`poetry update\`" + - name: Report new Pull Request to Slack channel + id: report-pr-slack + if: ${{ steps.create-pr.outputs.pr_url }} + uses: ravsamhq/notify-slack-action@v2 + with: + status: '${{ job.status }}' + token: '${{ secrets.GITHUB_TOKEN }}' + notification_title: 'Dependency update for {repo} created a Pull Request' + message_format: '{workflow} created Pull Request ${{ steps.create-pr.outputs.pr_url }}' + env: + SLACK_WEBHOOK_URL: '${{ secrets.INTEGRATION_TEAM_SECURITY_UPDATES_WEBHOOK }}' diff --git a/exasol/toolbox/templates/github/workflows/dependency-update.yml b/exasol/toolbox/templates/github/workflows/dependency-update.yml index de5d02ad17..05febdff26 100644 --- a/exasol/toolbox/templates/github/workflows/dependency-update.yml +++ b/exasol/toolbox/templates/github/workflows/dependency-update.yml @@ -103,9 +103,9 @@ jobs: if: ${{ steps.create-pr.outputs.pr_url }} uses: ravsamhq/notify-slack-action@v2 with: - status: '${{ job.status }}', - token: '${{ secrets.GITHUB_TOKEN }}', - notification_title: 'Dependency update for {repo} created a Pull Request', + status: '${{ job.status }}' + token: '${{ secrets.GITHUB_TOKEN }}' + notification_title: 'Dependency update for {repo} created a Pull Request' message_format: '{workflow} created Pull Request ${{ steps.create-pr.outputs.pr_url }}' env: SLACK_WEBHOOK_URL: '${{ secrets.INTEGRATION_TEAM_SECURITY_UPDATES_WEBHOOK }}' From 5fd48a58b3e0e25cfb2a9615bc78ed69cbeea736 Mon Sep 17 00:00:00 2001 From: Ariel Schulz Date: Mon, 4 May 2026 11:46:14 +0200 Subject: [PATCH 12/12] Fix added slack_hook --- .github/workflows/checks.yml | 21 ------------------- .github/workflows/dependency-update.yml | 14 ++++++++----- .github/workflows/merge-gate.yml | 9 -------- .../github/workflows/dependency-update.yml | 14 ++++++++----- 4 files changed, 18 insertions(+), 40 deletions(-) diff --git a/.github/workflows/checks.yml b/.github/workflows/checks.yml index 064a7fca55..56dfa2051e 100644 --- a/.github/workflows/checks.yml +++ b/.github/workflows/checks.yml @@ -188,27 +188,6 @@ jobs: id: build-package run: poetry run -- nox -s package:check - lint-imports: - name: Lint Imports - runs-on: ubuntu-24.04 - permissions: - contents: read - steps: - - name: Check out Repository - id: check-out-repository - uses: actions/checkout@v6 - - - name: Set up Python & Poetry Environment - id: set-up-python-and-poetry-environment - uses: exasol/python-toolbox/.github/actions/python-environment@v6 - with: - python-version: "3.10" - poetry-version: "2.3.0" - - - name: Lint Imports - id: lint-imports - run: poetry run -- nox -s lint:import - run-unit-tests: name: Unit Tests (Python-${{ matrix.python-versions }}) runs-on: "ubuntu-24.04" diff --git a/.github/workflows/dependency-update.yml b/.github/workflows/dependency-update.yml index 4fb6d70ef9..f323688ce3 100644 --- a/.github/workflows/dependency-update.yml +++ b/.github/workflows/dependency-update.yml @@ -83,14 +83,18 @@ jobs: run: | BASE_BRANCH=$(gh repo view --json defaultBranchRef -q .defaultBranchRef.name) - pr_url=$(gh pr create \ - --base "$BASE_BRANCH" \ - --title "Update dependencies to fix vulnerabilities ($(date '+%Y-%m-%d'))" \ - --body "Automated dependency update for \`poetry.lock\`.) - echo "pr_url=$pr_url" >> "$GITHUB_OUTPUT" + PR_BODY="Automated dependency update for \`poetry.lock\`. This PR was created by the dependency update workflow after running: - \`poetry run -- nox -s dependency:audit\` - \`poetry update\`" + + PR_URL=$(gh pr create \ + --base "$BASE_BRANCH" \ + --title "Update dependencies to fix vulnerabilities ($(date '+%Y-%m-%d'))" \ + --body "$PR_BODY") + + echo "pr_url=$PR_URL" >> "$GITHUB_OUTPUT" + - name: Report new Pull Request to Slack channel id: report-pr-slack if: ${{ steps.create-pr.outputs.pr_url }} diff --git a/.github/workflows/merge-gate.yml b/.github/workflows/merge-gate.yml index 7219a4d83b..46c0129578 100644 --- a/.github/workflows/merge-gate.yml +++ b/.github/workflows/merge-gate.yml @@ -48,14 +48,6 @@ jobs: permissions: contents: read - test-python-environment: - name: Test python-environment Action - needs: - - approve-run-slow-tests - uses: ./.github/workflows/test-python-environment.yml - permissions: - contents: read - # This job ensures inputs have been executed successfully. allow-merge: name: Allow Merge @@ -66,7 +58,6 @@ jobs: needs: - run-fast-checks - run-slow-checks - - test-python-environment # Each job requires a step, so we added this dummy step. steps: - name: Approve diff --git a/exasol/toolbox/templates/github/workflows/dependency-update.yml b/exasol/toolbox/templates/github/workflows/dependency-update.yml index 05febdff26..de740a74ed 100644 --- a/exasol/toolbox/templates/github/workflows/dependency-update.yml +++ b/exasol/toolbox/templates/github/workflows/dependency-update.yml @@ -90,14 +90,18 @@ jobs: run: | BASE_BRANCH=$(gh repo view --json defaultBranchRef -q .defaultBranchRef.name) - pr_url=$(gh pr create \ - --base "$BASE_BRANCH" \ - --title "Update dependencies to fix vulnerabilities ($(date '+%Y-%m-%d'))" \ - --body "Automated dependency update for \`poetry.lock\`.) - echo "pr_url=$pr_url" >> "$GITHUB_OUTPUT" + PR_BODY="Automated dependency update for \`poetry.lock\`. This PR was created by the dependency update workflow after running: - \`poetry run -- nox -s dependency:audit\` - \`poetry update\`" + + PR_URL=$(gh pr create \ + --base "$BASE_BRANCH" \ + --title "Update dependencies to fix vulnerabilities ($(date '+%Y-%m-%d'))" \ + --body "$PR_BODY") + + echo "pr_url=$PR_URL" >> "$GITHUB_OUTPUT" + - name: Report new Pull Request to Slack channel id: report-pr-slack if: ${{ steps.create-pr.outputs.pr_url }}