Merge branch 'main' into feature/#65-Add-nox-session-for-checking-if-the-changelog-got-updated

Author: Jannis-Mittenzwei

.github/workflows/checks.yml

@@ -136,6 +136,25 @@ jobs:
           path: .security.json
           include-hidden-files: true
 
+  Vulnerabilities:
+    name: Check Vulnerabilities (Python-${{ matrix.python-version }})
+    needs: [ Version-Check, build-matrix ]
+    runs-on: ubuntu-latest
+    strategy:
+      matrix: ${{ fromJson(needs.build-matrix.outputs.matrix) }}
+
+    steps:
+      - name: SCM Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup Python & Poetry Environment
+        uses: ./.github/actions/python-environment
+        with:
+          python-version: ${{ matrix.python-version }}
+
+      - name: Run Package vulnerabilities Check
+        run: poetry run nox -s dependency:audit
+
   Format:
     name: Format Check
     runs-on: ubuntu-latest

doc/changes/unreleased.md

@@ -2,4 +2,5 @@
 
 ## ✨ Added
 
+* [#73](https://github.com/exasol/python-toolbox/issues/73): Added nox target for auditing work spaces in regard to known vulnerabilities
 * [#65](https://github.com/exasol/python-toolbox/issues/65): Added a Nox task for checking if the changelog got updated.

doc/developer_guide/developer_guide.rst

@@ -8,6 +8,6 @@
     :maxdepth: 2
 
     ../design
-    development
     plugins
     modules/modules
+    ../user_guide/how_to_release

doc/developer_guide/development.rst

@@ -1,12 +1,79 @@
 How to Release?
 ===============
 
-#.  Use :code:`nox -s release:prepare` to prepare the project for a new release.
-#.  Merge your **Pull Request** to the **default branch**
-#.  Use :code:`git remote show origin | sed -n '/HEAD branch/s/.*: //p'` to output the **default branch**
-#.  Use :code:`git checkout <default branch>` Switch to the **default branch**
-#.  Use :code:`git pull` to update branch
-#.  Use :code:`TAG=<name>` to set a variable named **"TAG"**
-#.  Use :code:`git tag "${TAG}"` to create a new tag in your repo
-#.  Use :code:`git push origin "${TAG}"` to push it to remote
-#.  GitHub workflow **CD** reacts on this tag and starts the release process
+Creating a Release
+++++++++++++++++++
+
+1. Set a variable named **TAG** with the appropriate version numbers:
+
+    .. code-block:: shell
+
+        TAG="<major>.<minor>.<patch>"
+
+#. Prepare the project for a new release:
+
+    .. code-block:: shell
+
+        nox -s release:prepare -- "${TAG}"
+
+#. Merge your **Pull Request** to the **default branch**
+#. Switch to the **default branch**:
+
+    .. code-block:: shell
+
+        git checkout $(git remote show origin | sed -n '/HEAD branch/s/.*: //p')
+
+#. Update branch:
+
+    .. code-block:: shell
+
+        git pull
+
+#. Create a new tag in your local repo:
+
+    .. code-block:: shell
+
+        git tag "${TAG}"
+
+#. Push the repo to remote:
+
+    .. code-block:: shell
+
+        git push origin "${TAG}"
+
+    .. hint::
+
+         GitHub workflow **.github/workflows/cd.yml** reacts on this tag and starts the release process
+
+What to do if the release failed?
++++++++++++++++++++++++++++++++++
+
+The release failed during pre-release checks
+--------------------------------------------
+
+#. Delete the local tag
+
+    .. code-block:: shell
+
+        git tag -d "${TAG}"
+
+#. Delete the remote tag
+
+    .. code-block:: shell
+
+        git push --delete origin "${TAG}"
+
+#. Fix the issue(s) which lead to the failing checks
+#. Start the release process from the beginning
+
+
+One of the release steps failed (Partial Release)
+-------------------------------------------------
+#. Check the Github action/workflow to see which steps failed
+#. Finish or redo the failed release steps manually
+
+.. note:: Example
+
+    **Scenario**: Publishing of the release on Github was successfully but during the PyPi release, the upload step got interrupted.
+
+    **Solution**: Manually push the package to PyPi

doc/user_guide/how_to_release.rst

@@ -212,10 +212,20 @@ def _normalize_package_name(name: str) -> str:
     return template.format(heading=heading(), rows=rows)
 
 
+def _audit(session: Session) -> None:
+    session.run("poetry", "run", "pip-audit")
+
+
 @nox.session(name="dependency:licenses", python=False)
 def dependency_licenses(session: Session) -> None:
     """returns the packages and their licenses"""
     toml = Path("pyproject.toml")
     dependencies = _dependencies(toml.read_text())
     package_infos = _licenses()
     print(_packages_to_markdown(dependencies=dependencies, packages=package_infos))
+
+
+@nox.session(name="dependency:audit", python=False)
+def audit(session: Session) -> None:
+    """Check for known vulnerabilities"""
+    _audit(session)

exasol/toolbox/nox/_dependencies.py

@@ -82,6 +82,7 @@ def check(session: Session) -> None:
 
 from exasol.toolbox.nox._dependencies import (
     dependency_licenses,
+    audit
 )
 
 # isort: on

exasol/toolbox/nox/tasks.py

@@ -139,6 +139,25 @@ jobs:
           path: .security.json
           include-hidden-files: true
 
+  Vulnerabilities:
+    name: Check Vulnerabilities (Python-${{ matrix.python-version }})
+    needs: [ Version-Check, build-matrix ]
+    runs-on: ubuntu-latest
+    strategy:
+      matrix: ${{ fromJson(needs.build-matrix.outputs.matrix) }}
+
+    steps:
+      - name: SCM Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup Python & Poetry Environment
+        uses: ./.github/actions/python-environment
+        with:
+          python-version: ${{ matrix.python-version }}
+
+      - name: Run Package vulnerabilities Check
+        run: poetry run nox -s dependency:audit
+
   Format:
     name: Format Check
     runs-on: ubuntu-latest