Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

✨ Automate Python dependency update #371

Open
ArBridgeman opened this issue Mar 7, 2025 · 0 comments
Open

✨ Automate Python dependency update #371

ArBridgeman opened this issue Mar 7, 2025 · 0 comments
Labels
feature Product feature

Comments

@ArBridgeman
Copy link
Collaborator

ArBridgeman commented Mar 7, 2025
edited
Loading

Summary

Updating the dependencies in Python projects is currently a manual process, which occurs for (1) security vulnerabilities, (2) ensuring our code works with the latest versions of dependencies, & (3) coordinate our shared tooling versions. We want to automate the process of updating dependencies, in a manner similar to our Java-based repos, to reduce the burden on the developer & expedite the remediation process.

Details

Background & Context

From project-keeper, the two critical workflows to emulate are:

In the Python projects:

  • we currently have dependabot enacted for dependency management. The pull requests generated by the dependabot updates the poetry.lock file, which is primarily used by developers. In order to communicate with the users of a package, the pyproject.toml and unrelease.md would need to be adapted, and in certain cases, a release should be created.
  • additionally, in certain projects, we build SLCs for an extension, which rely on the pinned dependencies. These projects require a release with the newly built SLC & an updated requirements file:

For tracking purposes, we need to create security issues to align with the PRs that would be opened.

Tasks

The 2 workflows we would create would check for security vulnerabilities, create issues, & open PRs

  1. Use pip-audit to detect security vulnerabilities
  2. Use the output from pip-audit to create security issues
    with https://github.com/exasol/python-toolbox/blob/main/.github/actions/security-issues/action.yml
  3. Create structured PRs to update the poetry.lock file
  4. Create structured PRs to update the pyproject.toml
  5. Once the system is setup, we should also consider & remove duplicated efforts, i.e. dependabot & determine if we want to have pip-audit in the CI workflow check or rather not.
@ArBridgeman ArBridgeman added the feature Product feature label Mar 7, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feature Product feature
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@ArBridgeman