add dependency-update workflow template (fixes #683)

.github/workflows/dependency-update.yml

@@ -0,0 +1,60 @@
+name: Dependency Update
+
+on:
+  schedule:
+    # Every Monday at 03:00 UTC
+    - cron: "0 3 * * 1"
+  workflow_dispatch:
+
+jobs:
+  dependency-update:
+    name: Dependency Update
+    runs-on: "ubuntu-24.04"
+    permissions:
+      contents: write
+      pull-requests: write
+
+    steps:
+      - name: Check out Repository
+        id: check-out-repository
+        uses: actions/checkout@v6
+
+      - name: Set up Python & Poetry Environment
+        id: set-up-python-and-poetry-environment
+        uses: exasol/python-toolbox/.github/actions/python-environment@v6
+        with:
+          python-version: "3.10"
+          poetry-version: "2.3.0"
+
+      - name: Audit Dependencies
+        id: audit-dependencies
+        run: poetry run -- nox -s dependency:audit
+
+      - name: Update Dependencies
+        id: update-dependencies
+        run: poetry update
+
+      - name: Check for poetry.lock Changes
+        id: check-for-poetry-lock-changes
+        run: |
+          if git diff --quiet -- poetry.lock; then
+            echo "changed=false" >> "$GITHUB_OUTPUT"
+          else
+            echo "changed=true" >> "$GITHUB_OUTPUT"
+          fi
+
+      - name: Create Pull Request
+        id: create-pull-request
+        if: steps.check-for-poetry-lock-changes.outputs.changed == 'true'
+        uses: peter-evans/create-pull-request@v7
+        with:
+          commit-message: "Update poetry.lock"
+          branch: dependency-update/poetry-lock
+          delete-branch: true
+          title: "Update poetry.lock"
+          body: |-
+            Automated dependency update for `poetry.lock`.
+
+            This PR was created by the dependency update workflow after running:
+            - `poetry run -- nox -s dependency:audit`
+            - `poetry update`

doc/github_actions/dependency_update.rst

@@ -0,0 +1,14 @@
+dependency-update
+=================
+
+This workflow updates the project dependencies using Poetry.
+
+It first runs a dependency audit via ``nox -s dependency:audit`` and then updates the dependencies using ``poetry update``.
+If the ``poetry.lock`` file changes, a pull request is created automatically.
+
+Example Usage
+-------------
+
+.. code-block:: bash
+
+    tbx workflow install dependency-update

doc/github_actions/github_actions.rst

@@ -8,3 +8,4 @@
 
     python_environment
     security_issues
+    dependency_update

exasol/toolbox/templates/github/workflows/dependency-update.yml

@@ -0,0 +1,60 @@
+name: Dependency Update
+
+on:
+  schedule:
+    # Every Monday at 03:00 UTC
+    - cron: "0 3 * * 1"
+  workflow_dispatch:
+
+jobs:
+  dependency-update:
+    name: Dependency Update
+    runs-on: "(( os_version ))"
+    permissions:
+      contents: write
+      pull-requests: write
+
+    steps:
+      - name: Check out Repository
+        id: check-out-repository
+        uses: actions/checkout@v6
+
+      - name: Set up Python & Poetry Environment
+        id: set-up-python-and-poetry-environment
+        uses: exasol/python-toolbox/.github/actions/python-environment@v6
+        with:
+          python-version: "(( minimum_python_version ))"
+          poetry-version: "(( dependency_manager_version ))"
+
+      - name: Audit Dependencies
+        id: audit-dependencies
+        run: poetry run -- nox -s dependency:audit
+
+      - name: Update Dependencies
+        id: update-dependencies
+        run: poetry update
+
+      - name: Check for poetry.lock Changes
+        id: check-for-poetry-lock-changes
+        run: |
+          if git diff --quiet -- poetry.lock; then
+            echo "changed=false" >> "$GITHUB_OUTPUT"
+          else
+            echo "changed=true" >> "$GITHUB_OUTPUT"
+          fi
+
+      - name: Create Pull Request
+        id: create-pull-request
+        if: steps.check-for-poetry-lock-changes.outputs.changed == 'true'
+        uses: peter-evans/create-pull-request@v7
+        with:
+          commit-message: "Update poetry.lock"
+          branch: dependency-update/poetry-lock
+          delete-branch: true
+          title: "Update poetry.lock"
+          body: |
+            Automated dependency update for `poetry.lock`.
+
+            This PR was created by the dependency update workflow after running:
+            - `poetry run -- nox -s dependency:audit`
+            - `poetry update`

test/integration/tools/workflow_integration_test.py

@@ -18,6 +18,7 @@ def test_with_default(cli_runner):
             "check-release-tag\n"
             "checks\n"
             "ci\n"
+            "dependency-update\n"
             "gh-pages\n"
             "matrix-all\n"
             "matrix-exasol\n"
@@ -33,14 +34,20 @@ def test_with_columns(cli_runner):
         result = cli_runner.invoke(CLI, ["list", "--columns"])
 
         assert result.exit_code == 0
-        assert result.output == (
-            "build-and-publish  cd             check-release-tag checks     ci       "
-            "gh-pages\n"
-            "matrix-all         matrix-exasol  matrix-python     merge-gate pr-merge "
-            "report  \n"
-            "slow-checks                                                                     \n"
-        )
-
+        assert "build-and-publish" in result.output
+        assert "cd" in result.output
+        assert "check-release-tag" in result.output
+        assert "checks" in result.output
+        assert "ci" in result.output
+        assert "dependency-update" in result.output
+        assert "gh-pages" in result.output
+        assert "matrix-all" in result.output
+        assert "matrix-exasol" in result.output
+        assert "matrix-python" in result.output
+        assert "merge-gate" in result.output
+        assert "pr-merge" in result.output
+        assert "report" in result.output
+        assert "slow-checks" in result.output
 
 def test_show_workflow(cli_runner):
     result = cli_runner.invoke(CLI, ["show", "checks"])
@@ -57,6 +64,7 @@ def test_show_workflow(cli_runner):
         "check-release-tag",
         "checks",
         "ci",
+        "dependency-update",
         "gh-pages",
         "matrix-all",
         "matrix-exasol",
@@ -92,6 +100,7 @@ def test_all_workflows(cli_runner, tmp_path):
             "check-release-tag.yml",
             "checks.yml",
             "ci.yml",
+            "dependency-update.yml",
             "gh-pages.yml",
             "matrix-all.yml",
             "matrix-exasol.yml",