add dependency-update workflow template (fixes #683)

.github/workflows/dependency-update.yml

@@ -0,0 +1,93 @@
+name: Dependency Update
+
+on:
+  schedule:
+    # Every Monday at 03:00 UTC
+    - cron: "0 3 * * 1"
+  workflow_dispatch:
+  workflow_call:
+
+jobs:
+  dependency-update:
+    name: Dependency Update
+    runs-on: "ubuntu-24.04"
+    permissions:
+      contents: write
+      pull-requests: write
+
+    steps:
+      - name: Check out Repository
+        id: check-out-repository
+        uses: actions/checkout@v6
+        with:
+          fetch-depth: 0
+
+      - name: Set up Python & Poetry Environment
+        id: set-up-python-and-poetry-environment
+        uses: exasol/python-toolbox/.github/actions/python-environment@v6
+        with:
+          python-version: "3.10"
+          poetry-version: "2.3.0"
+
+      - name: Audit Dependencies
+        id: audit-dependencies
+        run: |
+          poetry run -- nox -s dependency:audit | tee vulnerabilities.json
+          LENGTH=$(jq 'length' vulnerabilities.json)
+          echo "count=$LENGTH" >> "$GITHUB_OUTPUT"
+
+      - name: Update Dependencies
+        id: update-dependencies
+        if: steps.audit-dependencies.outputs.count > 0
+        run: poetry update
+
+      - name: Check for poetry.lock Changes
+        id: check-for-poetry-lock-changes
+        if: steps.audit-dependencies.outputs.count > 0
+        run: |
+          if git diff --quiet -- poetry.lock; then
+            echo "changed=false" >> "$GITHUB_OUTPUT"
+          else
+            echo "changed=true" >> "$GITHUB_OUTPUT"
+          fi
+
+      - name: Configure git
+        id: configure-git
+        if: steps.check-for-poetry-lock-changes.outputs.changed == 'true'
+        run: |
+          git config --global user.email "opensource@exasol.com"
+          git config --global user.name "Automatic Dependency Updater"
+
+      - name: Create branch
+        id: create-branch
+        if: steps.check-for-poetry-lock-changes.outputs.changed == 'true' && github.ref == 'refs/heads/main'
+        run: |
+          branch_name="dependency-update/$(date "+%Y%m%d%H%M%S")"
+          echo "Creating branch $branch_name"
+          git checkout -b "$branch_name"
+
+      - name: Commit changes & push
+        id: publish-branch
+        if: steps.check-for-poetry-lock-changes.outputs.changed == 'true' && startsWith(github.ref, 'refs/heads/')
+        run: |
+          branch_name=$(git rev-parse --abbrev-ref HEAD)
+          git add poetry.lock
+          git commit --message "Update poetry.lock"
+          git push --set-upstream origin "$branch_name"
+
+      - name: Create pull request
+        id: create-pr
+        if: steps.check-for-poetry-lock-changes.outputs.changed == 'true' && github.ref == 'refs/heads/main'
+        env:
+          GH_TOKEN: ${{ github.token }}
+        run: |-
+          BASE_BRANCH=$(gh repo view --json defaultBranchRef -q .defaultBranchRef.name)
+
+          gh pr create \
+            --base "$BASE_BRANCH" \
+            --title "Update poetry.lock" \
+            --body "Automated dependency update for \`poetry.lock\`.
+
+          This PR was created by the dependency update workflow after running:
+          - \`poetry run -- nox -s dependency:audit\`
+          - \`poetry update\`"

doc/user_guide/features/github_workflows/index.rst

@@ -61,6 +61,9 @@ Workflows
      - Pull request and monthly
      - Executes the continuous integration suite by calling ``merge-gate.yml`` and
        ``report.yml``. See :ref:`ci_yml` for a graph of workflow calls.
+   * - ``dependency-update.yml``
+     - Weekly and manual
+     - Audits project dependencies for known vulnerabilities, updates them with Poetry when needed, and creates a pull request if the ``poetry.lock`` was changed.
    * - ``gh-pages.yml``
      - Workflow call
      - Builds the documentation and deploys it to GitHub Pages.
@@ -99,6 +102,17 @@ Workflows
 CI Actions
 ----------
 
+Dependency Update
+^^^^^^^^^^^^^^^^^
+
+The ``dependency-update.yml`` workflow is used to resolve vulnerabilities by updating our project dependencies.
+
+It can be triggered manually and is also scheduled to run weekly.
+
+The workflow first audits dependencies for known vulnerabilities. If vulnerabilities
+are detected, it updates the dependencies using Poetry. When the ``poetry.lock`` is changed,
+then it creates a pull request with the update.
+
 .. _ci_yml:
 
 Pull Request

exasol/toolbox/templates/github/workflows/dependency-update.yml

@@ -0,0 +1,100 @@
+name: Dependency Update
+
+on:
+  schedule:
+    # Every Monday at 03:00 UTC
+    - cron: "0 3 * * 1"
+  workflow_dispatch:
+
+jobs:
+  dependency-update:
+    name: Dependency Update
+    runs-on: "(( os_version ))"
+    permissions:
+      contents: write
+      pull-requests: write
+
+    steps:
+      - name: Check out Repository
+        id: check-out-repository
+        uses: actions/checkout@v6
+        with:
+          fetch-depth: 0
+
+      - name: Fail if not running on the default branch
+        id: check-branch
+        if: github.ref != format('refs/heads/{0}', github.event.repository.default_branch)
+        uses: actions/github-script@v8
+        with:
+          script: |
+            core.setFailed('Not running on the default branch. github.ref is ${{ github.ref }}')
+
+      - name: Set up Python & Poetry Environment
+        id: set-up-python-and-poetry-environment
+        uses: exasol/python-toolbox/.github/actions/python-environment@v6
+        with:
+          python-version: "(( minimum_python_version ))"
+          poetry-version: "(( dependency_manager_version ))"
+
+      - name: Audit Dependencies
+        id: audit-dependencies
+        run: |
+          poetry run -- nox -s dependency:audit | tee vulnerabilities.json
+          LENGTH=$(jq 'length' vulnerabilities.json)
+          echo "count=$LENGTH" >> "$GITHUB_OUTPUT"
+
+      - name: Update Dependencies
+        id: update-dependencies
+        if: steps.audit-dependencies.outputs.count > 0
+        run: poetry update
+
+      - name: Check for poetry.lock Changes
+        id: check-for-poetry-lock-changes
+        if: steps.audit-dependencies.outputs.count > 0
+        run: |
+          if git diff --quiet -- poetry.lock; then
+            echo "changed=false" >> "$GITHUB_OUTPUT"
+          else
+            echo "changed=true" >> "$GITHUB_OUTPUT"
+          fi
+
+      - name: Configure git
+        id: configure-git
+        if: steps.check-for-poetry-lock-changes.outputs.changed == 'true'
+        run: |
+          git config --global user.email "opensource@exasol.com"
+          git config --global user.name "Automatic Dependency Updater"
+
+      - name: Create branch
+        id: create-branch
+        if: steps.check-for-poetry-lock-changes.outputs.changed == 'true'
+        run: |
+          branch_name="dependency-update/$(date "+%Y%m%d%H%M%S")"
+          echo "Creating branch $branch_name"
+          git switch -C "$branch_name"
+
+      - name: Commit changes & push
+        id: publish-branch
+        if: steps.check-for-poetry-lock-changes.outputs.changed == 'true'
+        run: |
+          branch_name=$(git rev-parse --abbrev-ref HEAD)
+          git add poetry.lock
+          git commit --message "Update poetry.lock"
+          git push --set-upstream origin "$branch_name"
+
+      - name: Create pull request
+        id: create-pr
+        if: steps.check-for-poetry-lock-changes.outputs.changed == 'true'
+        env:
+          GH_TOKEN: ${{ github.token }}
+        run: |
+          BASE_BRANCH=$(gh repo view --json defaultBranchRef -q .defaultBranchRef.name)
+
+          gh pr create \
+            --base "$BASE_BRANCH" \
+            --title "Update dependencies to fix vulnerabilities ($(date '+%Y-%m-%d'))" \
+            --body "Automated dependency update for \`poetry.lock\`.
+
+          This PR was created by the dependency update workflow after running:
+          - \`poetry run -- nox -s dependency:audit\`
+          - \`poetry update\`"

test/integration/project-template/nox_test.py

@@ -76,4 +76,4 @@ def test_install_github_workflows(self, poetry_path, run_command):
         assert output.returncode == 0
 
         file_list = run_command(["ls", ".github/workflows"]).stdout.splitlines()
-        assert len(file_list) == 13
+        assert len(file_list) == 14

test/integration/tools/workflow_integration_test.py

@@ -18,6 +18,7 @@ def test_with_default(cli_runner):
             "check-release-tag\n"
             "checks\n"
             "ci\n"
+            "dependency-update\n"
             "gh-pages\n"
             "matrix-all\n"
             "matrix-exasol\n"
@@ -33,13 +34,28 @@ def test_with_columns(cli_runner):
         result = cli_runner.invoke(CLI, ["list", "--columns"])
 
         assert result.exit_code == 0
-        assert result.output == (
-            "build-and-publish  cd             check-release-tag checks     ci       "
-            "gh-pages\n"
-            "matrix-all         matrix-exasol  matrix-python     merge-gate pr-merge "
-            "report  \n"
-            "slow-checks                                                                     \n"
-        )
+
+        expected_substrings = """
+        build-and-publish
+        cd
+        check-release-tag
+        checks
+        ci
+        dependency-update
+        gh-pages
+        matrix-all
+        matrix-exasol
+        matrix-python
+        merge-gate
+        pr-merge
+        report
+        slow-checks
+        """
+
+        actual = set(result.output.split())
+        expected = set(expected_substrings.split())
+
+        assert expected.issubset(actual)
 
 
 def test_show_workflow(cli_runner):
@@ -57,6 +73,7 @@ def test_show_workflow(cli_runner):
         "check-release-tag",
         "checks",
         "ci",
+        "dependency-update",
         "gh-pages",
         "matrix-all",
         "matrix-exasol",
@@ -92,6 +109,7 @@ def test_all_workflows(cli_runner, tmp_path):
             "check-release-tag.yml",
             "checks.yml",
             "ci.yml",
+            "dependency-update.yml",
             "gh-pages.yml",
             "matrix-all.yml",
             "matrix-exasol.yml",

test/unit/nox/_workflow_test.py

@@ -35,7 +35,7 @@ class TestGenerateWorkflow:
     @staticmethod
     @pytest.mark.parametrize(
         "nox_session_runner_posargs, expected_count",
-        [(ALL, 13), *[(key, 1) for key in WORKFLOW_TEMPLATE_OPTIONS.keys()]],
+        [(ALL, 14), *[(key, 1) for key in WORKFLOW_TEMPLATE_OPTIONS.keys()]],
         indirect=["nox_session_runner_posargs"],
     )
     def test_works_as_expected(

test/unit/tool_template_test.py

@@ -11,6 +11,7 @@ def test_retrieve_workflow_templates():
         "check-release-tag": "check-release-tag.yml",
         "checks": "checks.yml",
         "ci": "ci.yml",
+        "dependency-update": "dependency-update.yml",
         "gh-pages": "gh-pages.yml",
         "matrix-all": "matrix-all.yml",
         "matrix-exasol": "matrix-exasol.yml",
@@ -51,6 +52,7 @@ def test_retrieve_issue_templates():
                 "check-release-tag": "check-release-tag.yml",
                 "checks": "checks.yml",
                 "ci": "ci.yml",
+                "dependency-update": "dependency-update.yml",
                 "gh-pages": "gh-pages.yml",
                 "matrix-all": "matrix-all.yml",
                 "matrix-exasol": "matrix-exasol.yml",
@@ -106,6 +108,7 @@ def test_retrieve_templates(subpackage, expected):
                 "check-release-tag.yml",
                 "checks.yml",
                 "ci.yml",
+                "dependency-update.yml",
                 "gh-pages.yml",
                 "matrix-all.yml",
                 "matrix-exasol.yml",

test/unit/util/workflows/templates_test.py

@@ -11,6 +11,7 @@ def test_get_workflow_templates(project_config):
         "check-release-tag",
         "checks",
         "ci",
+        "dependency-update",
         "gh-pages",
         "matrix-all",
         "matrix-exasol",