Skip to content

Improve description in automated PR from dependency-update.yml #792

Open
Documentation
Open
Improve description in automated PR from dependency-update.yml#792
Documentation
Labels
documentationUser guides, tutorials, specifications
@ArBridgeman

Description

@ArBridgeman
ArBridgeman
opened on Apr 17, 2026

Summary

The dependency-update.yml creates a PR that looks like: #790

Image

We should augment the description provided so that contributors know which steps they need to take to:

  1. trigger the CI
  2. finalize the PR, e.g. what manual steps need to be done

We'd like this to be similar in nature to what project-keeper produces:
exasol/kafka-connector-extension#171

As #683 (worked on in #779), first adds the dependency-update.yml, it would be ideal if this is done before a new PTB release.

To Dos

Modify the documentation

Modify https://exasol.github.io/python-toolbox/main/user_guide/features/github_workflows/index.html#dependency-update:

  • Use the RST option to display the schedule for running
  • Write out a bit more how the pipeline works & what the user is expected to do (in vague wording)

Notes:

  • It runs once weekly or on demand. If the criteria (has vulnerability, were changes) are met, then a PR is created & a slack notification sent.
  • Users need to open the PR and perform some manual steps which are described in the PR description.
  • See if PK has more in their documentation.

Modify the PR description

Modify exasol/toolbox/templates/github/workflows/dependency-update.yml

  • Need to add parts similar in style to 🔐 Update dependencies to fix vulnerabilities kafka-connector-extension#171
  • To simply run the CI, you can close and re-open the PR
  • Manual steps we need to take include:
    • update the workflows with poetry run -- nox -s workflow:generate -- all -> bot cannot do
    • check if there are remaining vulnerabilities with poetry run -- nox -s dependency:audit and try to fix if there's a fix version. If it's not easy and there is a known fix, create an issue to look into later.
    • update the changelog -> add an entry that the poetry.lock was updated to resolve vulnerabilities. Maybe note that the release:prepare will write out the specifics later 😉
  • Propagate changes to the .github/workflows/dependency-update.yml

Modify the pull_request_template.md

⚠️ Note that effort is already being made to automate adding the table of resolved vulnerabilities when the nox session release:prepare is used. Thus, depending on the timing, this step may not be needed.

Modify https://github.com/exasol/python-toolbox/blob/main/.github/pull_request_template.md:

  • Under When Preparing a Release, add a point to use poetry run -- nox -s vulnerabilities:resolved to get the table of resolved vulnerabilities & add it into the summary

Metadata

Metadata

Assignees

No one assigned

    Labels

    documentationUser guides, tutorials, specifications

    Type

    Documentation

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions