python-toolbox/.github/workflows/dependency-update.yml at main · exasol/python-toolbox · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
# Generated and maintained by the exasol-toolbox.
# Last generated with exasol-toolbox version 8.1.1.
name: Dependency Update

on:
  schedule:
    # Every Monday at 03:00 UTC
    - cron: "0 3 * * 1"
  workflow_dispatch:

jobs:
  dependency-update:
    name: Dependency Update
    runs-on: "ubuntu-24.04"
    permissions:
      contents: write
      pull-requests: write

    steps:
      - name: Check out Repository
        id: check-out-repository
        uses: actions/checkout@v6
        with:
          persist-credentials: true
          fetch-depth: 0

      - name: Fail if not running on the default branch
        id: check-branch
        if: github.ref != format('refs/heads/{0}', github.event.repository.default_branch)
        env:
          CURRENT_BRANCH: ${{ github.ref }}
        run: |
          echo "Not running on the default branch. Current ref is: $CURRENT_BRANCH"
          exit 1

      - name: Set up Python & Poetry Environment
        id: set-up-python-and-poetry-environment
        uses: exasol/python-toolbox/.github/actions/python-environment@v8
        with:
          python-version: "3.10"
          poetry-version: "2.3.0"

      - name: Audit Dependencies
        id: audit-dependencies
        run: |
          set -o pipefail
          poetry self add poetry-plugin-export
          # Pipeline purpose:
          # - `2>&1`: merge stdout and stderr into one stream.
          # - `tee /dev/stderr`: mirror the combined output back to stderr so it stays visible in the logs.
          # - `sed -n '/^\[/,$p'`: keep only the JSON payload and write it to vulnerabilities.json.
          # With `set -o pipefail`, any failure in the pipeline still fails this step and turns the workflow red.
          poetry run -- nox -s dependency:audit 2>&1 | tee /dev/stderr | sed -n '/^\[/,$p' > vulnerabilities.json
          LENGTH=$(jq 'length' vulnerabilities.json)
          echo "count=$LENGTH" >> "$GITHUB_OUTPUT"

      - name: Update Dependencies
        id: update-dependencies
        if: steps.audit-dependencies.outputs.count > 0
        run: poetry update

      - name: Check for poetry.lock Changes
        id: check-for-poetry-lock-changes
        if: steps.audit-dependencies.outputs.count > 0
        run: |
          if git diff --quiet -- poetry.lock; then
            echo "changed=false" >> "$GITHUB_OUTPUT"
          else
            echo "changed=true" >> "$GITHUB_OUTPUT"
          fi

      - name: Configure git
        id: configure-git
        if: steps.check-for-poetry-lock-changes.outputs.changed == 'true'
        run: |
          git config --global user.email "opensource@exasol.com"
          git config --global user.name "Automatic Dependency Updater"

      - name: Create branch
        id: create-branch
        if: steps.check-for-poetry-lock-changes.outputs.changed == 'true'
        run: |
          branch_name="dependency-update/$(date "+%Y-%m-%d")"
          echo "Creating branch $branch_name"
          git switch -C "$branch_name"

      - name: Commit Changes & Push
        id: publish-branch
        if: steps.check-for-poetry-lock-changes.outputs.changed == 'true'
        run: |
          branch_name=$(git rev-parse --abbrev-ref HEAD)
          git add poetry.lock
          git commit --message "Updated poetry.lock"
          git push --set-upstream origin "$branch_name"

      - name: Create Pull Request
        id: create-pr
        if: steps.check-for-poetry-lock-changes.outputs.changed == 'true'
        env:
          GH_TOKEN: ${{ github.token }}
        run: |
          BASE_BRANCH=$(gh repo view --json defaultBranchRef -q .defaultBranchRef.name)

          PR_BODY="Automated dependency update for \`poetry.lock\`.
          This PR was created by the workflow \`dependency-update.yml\`

          Please perform the following actions on a locally checked out branch:
          - [ ] Execute \`poetry run -- nox -s workflow:generate -- all\`
          - [ ] Use \`poetry run -- nox -s dependency:audit\` to check for vulnerabilities requiring manual action
          - [ ] Update file \`doc/changes/unreleased.md\`
          "

          PR_URL=$(gh pr create \
                      --base "$BASE_BRANCH" \
                      --title "Update dependencies to fix vulnerabilities ($(date '+%Y-%m-%d'))" \
                      --body "$PR_BODY")

          echo "pr_url=$PR_URL" >> "$GITHUB_OUTPUT"

      - name: Report New Pull Request to Slack Channel
        id: report-pr-slack
        if: ${{ steps.create-pr.outputs.pr_url }}
        uses: ravsamhq/notify-slack-action@v2
        with:
          status: '${{ job.status }}'
          token: '${{ secrets.GITHUB_TOKEN }}'
          notification_title: 'Dependency update for {repo} created a Pull Request'
          message_format: '{workflow} created Pull Request ${{ steps.create-pr.outputs.pr_url }}'
        env:
          SLACK_WEBHOOK_URL: '${{ secrets.INTEGRATION_TEAM_SECURITY_UPDATES_WEBHOOK }}'