CycloneDX · jkowalleck · Jul 8, 2025 · Jul 8, 2025 · Jul 8, 2025
@@ -50,6 +50,30 @@ jobs:
       - name: Run tox
         run: poetry run tox run -e pyupgrade -s false
 
+  deptry:
+    name: test dependencies
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    steps:
+      - name: Checkout
+        # see https://github.com/actions/checkout
+        uses: actions/checkout@v4
+      - name: Setup Python Environment
+        # see https://github.com/actions/setup-python
+        uses: actions/setup-python@v5
+        with:
+          python-version: ${{ env.PYTHON_VERSION_DEFAULT }}
+          architecture: 'x64'
+      - name: Install poetry
+        # see https://github.com/marketplace/actions/setup-poetry
+        uses: Gr1N/setup-poetry@v9
+        with:
+          poetry-version: ${{ env.POETRY_VERSION }}
+      - name: Install dependencies
+        run: poetry install --no-root
+      - name: Run tox
+        run: poetry run tox run -e deptry -s false
+
   coding-standards:
     name: Linting & CodingStandards
     runs-on: ubuntu-latest

@@ -64,9 +64,32 @@ jobs:
       - name: Run tox
         run: poetry run tox run -e py -s false
 
+  deptry:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        # see https://github.com/actions/checkout
+        uses: actions/checkout@v4
+      - name: Setup Python Environment
+        # see https://github.com/actions/setup-python
+        uses: actions/setup-python@v5
+        with:
+          python-version: ${{ env.PYTHON_VERSION_DEFAULT }}
+          architecture: 'x64'
+      - name: Install poetry
+        # see https://github.com/marketplace/actions/setup-poetry
+        uses: Gr1N/setup-poetry@v9
+        with:
+          poetry-version: ${{ env.POETRY_VERSION }}
+      - name: Install dependencies
+        run: poetry install --no-root
+      - name: Run tox
+        run: poetry run tox run -e deptry -s false
+
   release:
     needs:
       - quicktest
+      - deptry
     # https://github.community/t/how-do-i-specify-job-dependency-running-in-another-workflow/16482
     # limit this to being run on regular commits, not the commits that semantic-release will create
     # but also allow manual workflow dispatch

@@ -101,6 +101,7 @@ tox = "4.27.0"
 xmldiff = "2.7.0"
 bandit = "1.8.5"
 pyupgrade = "3.20.0"
+deptry = "0.23.0"
 
 [tool.semantic_release]
 # see https://python-semantic-release.readthedocs.io/en/latest/configuration.html
@@ -148,3 +149,6 @@ prerelease_token = "alpha"
 match = "(\\d+\\.0\\.0-(dev|rc)|dev/\\d+\\.0\\.0)"
 prerelease = true
 prerelease_token = "rc"
+
+[tool.deptry]
+extend_exclude = ["docs", "examples", "package_aliases", "tools"]
@@ -10,6 +10,7 @@ envlist =
     mypy-{current,lowest}
     py{313,312,311,310,39}-{allExtras,noExtras}
     bandit
+    deptry
 skip_missing_interpreters = True
 usedevelop = False
 download = False
@@ -44,6 +45,11 @@ commands =
 commands =
     poetry run bandit -c bandit.yml -v -r cyclonedx tests examples tools
 
+[testenv:deptry]
+# config is in `pyproject.toml`
+command =
+    poetry run deptry -v .
+
 [testenv:pyupgrade]
 allowlist_externals = poetry, sh
 commands = sh -c "\