Dependency Update #6
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Generated and maintained by the exasol-toolbox. | |
| # Last generated with exasol-toolbox version 10.0.0. | |
| name: Dependency Update | |
| on: | |
| schedule: | |
| # Every Monday at 03:00 UTC | |
| - cron: "0 3 * * 1" | |
| workflow_dispatch: | |
| jobs: | |
| dependency-update: | |
| name: Dependency Update | |
| runs-on: "ubuntu-24.04" | |
| permissions: | |
| contents: write | |
| pull-requests: write | |
| steps: | |
| - name: Check out Repository | |
| id: check-out-repository | |
| uses: actions/checkout@v6 | |
| with: | |
| persist-credentials: true | |
| fetch-depth: 0 | |
| - name: Fail if not running on the default branch | |
| id: check-branch | |
| if: github.ref != format('refs/heads/{0}', github.event.repository.default_branch) | |
| env: | |
| CURRENT_BRANCH: ${{ github.ref }} | |
| run: | | |
| echo "Not running on the default branch. Current ref is: $CURRENT_BRANCH" | |
| exit 1 | |
| - name: Set up Python & Poetry Environment | |
| id: set-up-python-and-poetry-environment | |
| uses: exasol/python-toolbox/.github/actions/python-environment@v10 | |
| with: | |
| python-version: "3.10" | |
| poetry-version: "2.3.0" | |
| - name: Audit Dependencies | |
| id: audit-dependencies | |
| run: | | |
| set -o pipefail | |
| poetry self add poetry-plugin-export | |
| # Pipeline purpose: | |
| # - `2>&1`: merge stdout and stderr into one stream. | |
| # - `tee /dev/stderr`: mirror the combined output back to stderr so it stays visible in the logs. | |
| # - `sed -n '/^\[/,$p'`: keep only the JSON payload and write it to vulnerabilities.json. | |
| # With `set -o pipefail`, any failure in the pipeline still fails this step and turns the workflow red. | |
| poetry run -- nox -s dependency:audit 2>&1 | tee /dev/stderr | sed -n '/^\[/,$p' > vulnerabilities.json | |
| LENGTH=$(jq 'length' vulnerabilities.json) | |
| echo "count=$LENGTH" >> "$GITHUB_OUTPUT" | |
| - name: Update Dependencies | |
| id: update-dependencies | |
| if: steps.audit-dependencies.outputs.count > 0 | |
| run: poetry update | |
| - name: Check for poetry.lock Changes | |
| id: check-for-poetry-lock-changes | |
| if: steps.audit-dependencies.outputs.count > 0 | |
| run: | | |
| if git diff --quiet -- poetry.lock; then | |
| echo "changed=false" >> "$GITHUB_OUTPUT" | |
| else | |
| echo "changed=true" >> "$GITHUB_OUTPUT" | |
| fi | |
| - name: Configure git | |
| id: configure-git | |
| if: steps.check-for-poetry-lock-changes.outputs.changed == 'true' | |
| run: | | |
| git config --global user.email "[email protected]" | |
| git config --global user.name "Automatic Dependency Updater" | |
| - name: Create branch | |
| id: create-branch | |
| if: steps.check-for-poetry-lock-changes.outputs.changed == 'true' | |
| run: | | |
| branch_name="dependency-update/$(date "+%Y-%m-%d")" | |
| echo "Creating branch $branch_name" | |
| git switch -C "$branch_name" | |
| - name: Commit Changes & Push | |
| id: publish-branch | |
| if: steps.check-for-poetry-lock-changes.outputs.changed == 'true' | |
| run: | | |
| branch_name=$(git rev-parse --abbrev-ref HEAD) | |
| git add poetry.lock | |
| git commit --message "Updated poetry.lock" | |
| git push --set-upstream origin "$branch_name" | |
| - name: Create Pull Request | |
| id: create-pr | |
| if: steps.check-for-poetry-lock-changes.outputs.changed == 'true' | |
| env: | |
| GH_TOKEN: ${{ github.token }} | |
| run: | | |
| BASE_BRANCH=$(gh repo view --json defaultBranchRef -q .defaultBranchRef.name) | |
| PR_BODY="Automated dependency update for \`poetry.lock\`. | |
| This PR was created by the workflow \`dependency-update.yml\` | |
| Please perform the following actions on a locally checked out branch: | |
| - [ ] Execute \`poetry run -- nox -s workflow:generate -- all\` | |
| - [ ] Use \`poetry run -- nox -s dependency:audit\` to check for vulnerabilities requiring manual action | |
| - [ ] Update file \`doc/changes/unreleased.md\` | |
| " | |
| PR_URL=$(gh pr create \ | |
| --base "$BASE_BRANCH" \ | |
| --label "security" \ | |
| --title "Update dependencies to fix vulnerabilities ($(date '+%Y-%m-%d'))" \ | |
| --body "$PR_BODY") | |
| echo "pr_url=$PR_URL" >> "$GITHUB_OUTPUT" | |
| - name: Report New Pull Request to Slack Channel | |
| id: report-pr-slack | |
| if: ${{ steps.create-pr.outputs.pr_url }} | |
| uses: ravsamhq/notify-slack-action@be814b201e233b2dc673608aa46e5447c8ab13f2 # 2.5.0 | |
| with: | |
| status: '${{ job.status }}' | |
| token: '${{ secrets.GITHUB_TOKEN }}' | |
| notification_title: 'Dependency update for {repo} created a Pull Request' | |
| message_format: '{workflow} created Pull Request ${{ steps.create-pr.outputs.pr_url }}' | |
| env: | |
| SLACK_WEBHOOK_URL: '${{ secrets.INTEGRATION_TEAM_SECURITY_UPDATES_WEBHOOK }}' |