Feature update workflow test

.github/workflows/checks.yml

@@ -16,7 +16,7 @@ jobs:
 
       - name: Set up Python & Poetry Environment
         id: set-up-python-and-poetry-environment
-        uses: exasol/python-toolbox/.github/actions/python-environment@v6
+        uses: exasol/python-toolbox/.github/actions/python-environment@v7
         with:
           python-version: "3.10"
           poetry-version: "2.3.0"
@@ -42,7 +42,7 @@ jobs:
 
       - name: Set up Python & Poetry Environment
         id: set-up-python-and-poetry-environment
-        uses: exasol/python-toolbox/.github/actions/python-environment@v6
+        uses: exasol/python-toolbox/.github/actions/python-environment@v7
         with:
           python-version: "3.10"
           poetry-version: "2.3.0"
@@ -67,7 +67,7 @@ jobs:
 
       - name: Set up Python & Poetry Environment
         id: set-up-python-and-poetry-environment
-        uses: exasol/python-toolbox/.github/actions/python-environment@v6
+        uses: exasol/python-toolbox/.github/actions/python-environment@v7
         with:
           python-version: ${{ matrix.python-versions }}
           poetry-version: "2.3.0"
@@ -102,7 +102,7 @@ jobs:
 
       - name: Set up Python & Poetry Environment
         id: set-up-python-and-poetry-environment
-        uses: exasol/python-toolbox/.github/actions/python-environment@v6
+        uses: exasol/python-toolbox/.github/actions/python-environment@v7
         with:
           python-version: ${{ matrix.python-versions }}
           poetry-version: "2.3.0"
@@ -128,7 +128,7 @@ jobs:
 
       - name: Set up Python & Poetry Environment
         id: set-up-python-and-poetry-environment
-        uses: exasol/python-toolbox/.github/actions/python-environment@v6
+        uses: exasol/python-toolbox/.github/actions/python-environment@v7
         with:
           python-version: ${{ matrix.python-versions }}
           poetry-version: "2.3.0"
@@ -157,7 +157,7 @@ jobs:
 
       - name: Set up Python & Poetry Environment
         id: set-up-python-and-poetry-environment
-        uses: exasol/python-toolbox/.github/actions/python-environment@v6
+        uses: exasol/python-toolbox/.github/actions/python-environment@v7
         with:
           python-version: "3.10"
           poetry-version: "2.3.0"
@@ -179,7 +179,7 @@ jobs:
 
       - name: Set up Python & Poetry Environment
         id: set-up-python-and-poetry-environment
-        uses: exasol/python-toolbox/.github/actions/python-environment@v6
+        uses: exasol/python-toolbox/.github/actions/python-environment@v7
         with:
           python-version: "3.10"
           poetry-version: "2.3.0"
@@ -188,27 +188,6 @@ jobs:
         id: build-package
         run: poetry run -- nox -s package:check
 
-  lint-imports:
-    name: Lint Imports
-    runs-on: ubuntu-24.04
-    permissions:
-      contents: read
-    steps:
-      - name: Check out Repository
-        id: check-out-repository
-        uses: actions/checkout@v6
-
-      - name: Set up Python & Poetry Environment
-        id: set-up-python-and-poetry-environment
-        uses: exasol/python-toolbox/.github/actions/python-environment@v6
-        with:
-          python-version: "3.10"
-          poetry-version: "2.3.0"
-
-      - name: Lint Imports
-        id: lint-imports
-        run: poetry run -- nox -s lint:import
-
   run-unit-tests:
     name: Unit Tests (Python-${{ matrix.python-versions }})
     runs-on: "ubuntu-24.04"
@@ -227,7 +206,7 @@ jobs:
           fetch-depth: 0
       - name: Set up Python & Poetry Environment
         id: set-up-python-and-poetry-environment
-        uses: exasol/python-toolbox/.github/actions/python-environment@v6
+        uses: exasol/python-toolbox/.github/actions/python-environment@v7
         with:
           python-version: ${{ matrix.python-versions }}
           poetry-version: "2.3.0"

.github/workflows/dependency-update.yml

@@ -0,0 +1,108 @@
+name: Dependency Update
+
+on:
+  schedule:
+    # Every Monday at 03:00 UTC
+    - cron: "0 3 * * 1"
+  workflow_dispatch:
+  workflow_call:
+
+jobs:
+  dependency-update:
+    name: Dependency Update
+    runs-on: "ubuntu-24.04"
+    permissions:
+      contents: write
+      pull-requests: write
+
+    steps:
+      - name: Check out Repository
+        id: check-out-repository
+        uses: actions/checkout@v6
+        with:
+          fetch-depth: 0
+
+      - name: Set up Python & Poetry Environment
+        id: set-up-python-and-poetry-environment
+        uses: exasol/python-toolbox/.github/actions/python-environment@v6
+        with:
+          python-version: "3.10"
+          poetry-version: "2.3.0"
+
+      - name: Audit Dependencies
+        id: audit-dependencies
+        run: |
+          poetry run -- nox -s dependency:audit | tee vulnerabilities.json
+          LENGTH=$(jq 'length' vulnerabilities.json)
+          echo "count=$LENGTH" >> "$GITHUB_OUTPUT"
+
+      - name: Update Dependencies
+        id: update-dependencies
+        if: steps.audit-dependencies.outputs.count > 0
+        run: poetry update
+
+      - name: Check for poetry.lock Changes
+        id: check-for-poetry-lock-changes
+        if: steps.audit-dependencies.outputs.count > 0
+        run: |
+          if git diff --quiet -- poetry.lock; then
+            echo "changed=false" >> "$GITHUB_OUTPUT"
+          else
+            echo "changed=true" >> "$GITHUB_OUTPUT"
+          fi
+
+      - name: Configure git
+        id: configure-git
+        if: steps.check-for-poetry-lock-changes.outputs.changed == 'true'
+        run: |
+          git config --global user.email "opensource@exasol.com"
+          git config --global user.name "Automatic Dependency Updater"
+
+      - name: Create branch
+        id: create-branch
+        if: steps.check-for-poetry-lock-changes.outputs.changed == 'true'
+        run: |
+          branch_name="dependency-update/$(date "+%Y%m%d%H%M%S")"
+          echo "Creating branch $branch_name"
+          git switch -C "$branch_name"
+
+      - name: Commit changes & push
+        id: publish-branch
+        if: steps.check-for-poetry-lock-changes.outputs.changed == 'true'
+        run: |
+          branch_name=$(git rev-parse --abbrev-ref HEAD)
+          git add poetry.lock
+          git commit --message "Update poetry.lock"
+          git push --set-upstream origin "$branch_name"
+
+      - name: Create pull request
+        id: create-pr
+        if: steps.check-for-poetry-lock-changes.outputs.changed == 'true'
+        env:
+          GH_TOKEN: ${{ github.token }}
+        run: |
+          BASE_BRANCH=$(gh repo view --json defaultBranchRef -q .defaultBranchRef.name)
+
+          PR_BODY="Automated dependency update for \`poetry.lock\`.
+          This PR was created by the dependency update workflow after running:
+          - \`poetry run -- nox -s dependency:audit\`
+          - \`poetry update\`"
+
+          PR_URL=$(gh pr create \
+                      --base "$BASE_BRANCH" \
+                      --title "Update dependencies to fix vulnerabilities ($(date '+%Y-%m-%d'))" \
+                      --body "$PR_BODY")
+
+          echo "pr_url=$PR_URL" >> "$GITHUB_OUTPUT"
+
+      - name: Report new Pull Request to Slack channel
+        id: report-pr-slack
+        if: ${{ steps.create-pr.outputs.pr_url }}
+        uses: ravsamhq/notify-slack-action@v2
+        with:
+          status: '${{ job.status }}'
+          token: '${{ secrets.GITHUB_TOKEN }}'
+          notification_title: 'Dependency update for {repo} created a Pull Request'
+          message_format: '{workflow} created Pull Request ${{ steps.create-pr.outputs.pr_url }}'
+        env:
+          SLACK_WEBHOOK_URL: '${{ secrets.INTEGRATION_TEAM_SECURITY_UPDATES_WEBHOOK }}'

.github/workflows/merge-gate.yml

@@ -48,14 +48,6 @@ jobs:
     permissions:
       contents: read
 
-  test-python-environment:
-    name: Test python-environment Action
-    needs:
-      - approve-run-slow-tests
-    uses: ./.github/workflows/test-python-environment.yml
-    permissions:
-      contents: read
-
   # This job ensures inputs have been executed successfully.
   allow-merge:
     name: Allow Merge
@@ -66,7 +58,6 @@ jobs:
     needs:
       - run-fast-checks
       - run-slow-checks
-      - test-python-environment
     # Each job requires a step, so we added this dummy step.
     steps:
       - name: Approve

.github/workflows/slow-checks.yml

@@ -29,7 +29,7 @@ jobs:
 
       - name: Set up Python & Poetry Environment
         id: set-up-python-and-poetry-environment
-        uses: exasol/python-toolbox/.github/actions/python-environment@v6
+        uses: exasol/python-toolbox/.github/actions/python-environment@v7
         with:
           python-version: ${{ matrix.python-version }}
           poetry-version: "2.3.0"

doc/user_guide/features/github_workflows/index.rst

@@ -59,6 +59,9 @@ Workflows
      - Pull request and monthly
      - Executes the continuous integration suite by calling ``merge-gate.yml`` and
        ``report.yml``. See :ref:`ci_yml` for a graph of workflow calls.
+   * - ``dependency-update.yml``
+     - Weekly and manual
+     - Audits project dependencies for known vulnerabilities, updates them with Poetry when needed, and creates a pull request if the ``poetry.lock`` was changed.
    * - ``gh-pages.yml``
      - Workflow call
      - Builds the documentation and deploys it to GitHub Pages.
@@ -97,6 +100,17 @@ Workflows
 CI Actions
 ----------
 
+Dependency Update
+^^^^^^^^^^^^^^^^^
+
+The ``dependency-update.yml`` workflow is used to resolve vulnerabilities by updating our project dependencies.
+
+It can be triggered manually and is also scheduled to run weekly.
+
+The workflow first audits dependencies for known vulnerabilities. If vulnerabilities
+are detected, it updates the dependencies using Poetry. When the ``poetry.lock`` is changed,
+then it creates a pull request with the update.
+
 .. _ci_yml:
 
 Pull Request