Skip to content
Dependency Update

Dependency Update #4

Sign in to view logs

Dependency Update

Dependency Update #4

Workflow file for this run

.github/workflows/dependency-update.yml at e46075c
name: Dependency Update
on:
schedule:
# Every Monday at 03:00 UTC
- cron: "0 3 * * 1"
workflow_dispatch:
jobs:
dependency-update:
name: Dependency Update
runs-on: "ubuntu-24.04"
permissions:
contents: write
pull-requests: write
steps:
- name: Check out Repository
id: check-out-repository
uses: actions/checkout@v6
with:
fetch-depth: 0
- name: Fail if not running on the default branch
id: check-branch
if: github.ref != format('refs/heads/{0}', github.event.repository.default_branch)
uses: actions/github-script@v8
with:
script: |
core.setFailed('Not running on the default branch. github.ref is ${{ github.ref }}')
- name: Set up Python & Poetry Environment
id: set-up-python-and-poetry-environment
uses: exasol/python-toolbox/.github/actions/python-environment@v6
with:
python-version: "3.10"
poetry-version: "2.3.0"
- name: Audit Dependencies
id: audit-dependencies
run: |
poetry run -- nox -s dependency:audit | tee vulnerabilities.json
LENGTH=$(jq 'length' vulnerabilities.json)
echo "count=$LENGTH" >> "$GITHUB_OUTPUT"
- name: Update Dependencies
id: update-dependencies
if: steps.audit-dependencies.outputs.count > 0
run: poetry update
- name: Check for poetry.lock Changes
id: check-for-poetry-lock-changes
if: steps.audit-dependencies.outputs.count > 0
run: |
if git diff --quiet -- poetry.lock; then
echo "changed=false" >> "$GITHUB_OUTPUT"
else
echo "changed=true" >> "$GITHUB_OUTPUT"
fi
- name: Configure git
id: configure-git
if: steps.check-for-poetry-lock-changes.outputs.changed == 'true'
run: |
git config --global user.email "opensource@exasol.com"
git config --global user.name "Automatic Dependency Updater"
- name: Create branch
id: create-branch
if: steps.check-for-poetry-lock-changes.outputs.changed == 'true'
run: |
branch_name="dependency-update/$(date "+%Y-%m-%d")"
echo "Creating branch $branch_name"
git switch -C "$branch_name"
- name: Commit Changes & Push
id: publish-branch
if: steps.check-for-poetry-lock-changes.outputs.changed == 'true'
run: |
branch_name=$(git rev-parse --abbrev-ref HEAD)
git add poetry.lock
git commit --message "Updated poetry.lock"
git push --set-upstream origin "$branch_name"
- name: Create Pull Request
id: create-pr
if: steps.check-for-poetry-lock-changes.outputs.changed == 'true'
env:
GH_TOKEN: ${{ github.token }}
run: |
BASE_BRANCH=$(gh repo view --json defaultBranchRef -q .defaultBranchRef.name)
PR_BODY="Automated dependency update for \`poetry.lock\`.
This PR was created by the workflow \`dependency-update.yml\`
Please perform the following actions on a locally checked out branch:
- [ ] Execute \`poetry run -- nox -s workflow:generate -- all\`
- [ ] Use \`poetry run -- nox -s dependency:audit\` to check for vulnerabilities requiring manual action
- [ ] Update file \`doc/changes/unreleased.md\`
"
PR_URL=$(gh pr create \
--base "$BASE_BRANCH" \
--title "Update dependencies to fix vulnerabilities ($(date '+%Y-%m-%d'))" \
--body "$PR_BODY")
echo "pr_url=$PR_URL" >> "$GITHUB_OUTPUT"
- name: Report New Pull Request to Slack Channel
id: report-pr-slack
if: ${{ steps.create-pr.outputs.pr_url }}
uses: ravsamhq/notify-slack-action@v2
with:
status: '${{ job.status }}'
token: '${{ secrets.GITHUB_TOKEN }}'
notification_title: 'Dependency update for {repo} created a Pull Request'
message_format: '{workflow} created Pull Request ${{ steps.create-pr.outputs.pr_url }}'
env:
SLACK_WEBHOOK_URL: '${{ secrets.INTEGRATION_TEAM_SECURITY_UPDATES_WEBHOOK }}'