Merge branch 'main' into tl-add-security-md

Author: ArBridgeman

.github/workflows/checks.yml

@@ -117,6 +117,25 @@ jobs:
           path: .security.json
           include-hidden-files: true
 
+  Vulnerabilities:
+    name: Check Vulnerabilities (Python-${{ matrix.python-version }})
+    needs: [ Version-Check, build-matrix ]
+    runs-on: ubuntu-latest
+    strategy:
+      matrix: ${{ fromJson(needs.build-matrix.outputs.matrix) }}
+
+    steps:
+      - name: SCM Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup Python & Poetry Environment
+        uses: ./.github/actions/python-environment
+        with:
+          python-version: ${{ matrix.python-version }}
+
+      - name: Run Package vulnerabilities Check
+        run: poetry run nox -s dependency:audit
+
   Format:
     name: Format Check
     runs-on: ubuntu-latest

doc/changes/changelog.md

@@ -1,6 +1,7 @@
 # Changelog
 
 * [unreleased](unreleased.md)
+* [0.21.0](changes_0.21.0.md)
 * [0.20.0](changes_0.20.0.md)
 * [0.19.0](changes_0.19.0.md)
 * [0.18.0](changes_0.18.0.md)
@@ -29,6 +30,7 @@
 hidden:
 ---
 unreleased
+changes_0.21.0
 changes_0.20.0
 changes_0.19.0
 changes_0.18.0

doc/changes/changes_0.21.0.md

@@ -0,0 +1,29 @@
+# 0.21.0 - 2025-02-25
+
+## ✨ Features
+
+* Added tbx task for markdown formating of .lint.json
+* Added a Nox task for dependencies packages and their licenses with Markdown output
+* [#293](https://github.com/exasol/python-toolbox/issues/293): Added `py.typed` file
+
+## 🐞 Fixed
+* Fixed an issue in the CI workflow that caused it to be executed twice on the initial push of a PR if the PR branch was on the repo itself.
+
+    🚨 Attention: Due to these changes, the workflows will no longer be executed if the PR comes from a branch not located in this repository.
+                  As third-party contributions from outside forks are rare to nearly non-existent, this downside was considered a reasonable trade-off at this time.
+
+## 📚 Documentation
+* Updated design doc (Added known Issues)
+* Updated migration progress table
+* Updated the FAQ with an entry about the ``isort`` compatibility issue
+* [#351](https://github.com/exasol/python-toolbox/issues/351), [#352](https://github.com/exasol/python-toolbox/issues/352): updated user guide
+
+## 🔧 Changed
+* Updated `actions/upload-artifacts` version to `4.6.0`
+
+## 🔩 Internal
+* Relocked dependencies
+* Update referenced github actions
+
+## ⚒️ Refactorings
+* [#339](https://github.com/exasol/python-toolbox/issues/339): Secret ALTERNATIVE_GITHUB_TOKEN removed from GitHub workflows

doc/changes/unreleased.md

@@ -2,27 +2,4 @@
 
 ## ✨ Added
 
-* added tbx task for markdown formating of .lint.json
-* Added a Nox task for dependencies packages and their licenses with Markdown output
-
-## 🐞 Fixed
-* Fixed an issue in the CI workflow that caused it to be executed twice on the initial push of a PR if the PR branch was on the repo itself.
-
-    🚨 Attention: Due to these changes, the workflows will no longer be executed if the PR comes from a branch not located in this repository.
-                  As third-party contributions from outside forks are rare to nearly non-existent, this downside was considered a reasonable trade-off at this time.
-
-## 📚 Documentation
-* Updated design doc (Added known Issues)
-* Updated migration progress table
-* Updated the FAQ with an entry about the ``isort`` compatibility issue
-* [#351](https://github.com/exasol/python-toolbox/issues/351), [#352](https://github.com/exasol/python-toolbox/issues/352): updated user guide
-
-## 🔧 Changed
-* Updated `actions/upload-artifacts` version to `4.6.0`
-
-## 🔩 Internal
-* Relocked dependencies
-* Update referenced github actions
-
-## ⚒️ Refactorings
-* [#339](https://github.com/exasol/python-toolbox/issues/339): Secret ALTERNATIVE_GITHUB_TOKEN removed from GitHub workflows
+* [#73](https://github.com/exasol/python-toolbox/issues/73): Added nox target for auditing work spaces in regard to known vulnerabilities

doc/developer_guide/developer_guide.rst

@@ -8,6 +8,6 @@
     :maxdepth: 2
 
     ../design
-    development
     plugins
     modules/modules
+    ../user_guide/how_to_release

doc/developer_guide/development.rst

@@ -1,12 +1,79 @@
 How to Release?
 ===============
 
-#.  Use :code:`nox -s release:prepare` to prepare the project for a new release.
-#.  Merge your **Pull Request** to the **default branch**
-#.  Use :code:`git remote show origin | sed -n '/HEAD branch/s/.*: //p'` to output the **default branch**
-#.  Use :code:`git checkout <default branch>` Switch to the **default branch**
-#.  Use :code:`git pull` to update branch
-#.  Use :code:`TAG=<name>` to set a variable named **"TAG"**
-#.  Use :code:`git tag "${TAG}"` to create a new tag in your repo
-#.  Use :code:`git push origin "${TAG}"` to push it to remote
-#.  GitHub workflow **CD** reacts on this tag and starts the release process
+Creating a Release
+++++++++++++++++++
+
+1. Set a variable named **TAG** with the appropriate version numbers:
+
+    .. code-block:: shell
+
+        TAG="<major>.<minor>.<patch>"
+
+#. Prepare the project for a new release:
+
+    .. code-block:: shell
+
+        nox -s release:prepare -- "${TAG}"
+
+#. Merge your **Pull Request** to the **default branch**
+#. Switch to the **default branch**:
+
+    .. code-block:: shell
+
+        git checkout $(git remote show origin | sed -n '/HEAD branch/s/.*: //p')
+
+#. Update branch:
+
+    .. code-block:: shell
+
+        git pull
+
+#. Create a new tag in your local repo:
+
+    .. code-block:: shell
+
+        git tag "${TAG}"
+
+#. Push the repo to remote:
+
+    .. code-block:: shell
+
+        git push origin "${TAG}"
+
+    .. hint::
+
+         GitHub workflow **.github/workflows/cd.yml** reacts on this tag and starts the release process
+
+What to do if the release failed?
++++++++++++++++++++++++++++++++++
+
+The release failed during pre-release checks
+--------------------------------------------
+
+#. Delete the local tag
+
+    .. code-block:: shell
+
+        git tag -d "${TAG}"
+
+#. Delete the remote tag
+
+    .. code-block:: shell
+
+        git push --delete origin "${TAG}"
+
+#. Fix the issue(s) which lead to the failing checks
+#. Start the release process from the beginning
+
+
+One of the release steps failed (Partial Release)
+-------------------------------------------------
+#. Check the Github action/workflow to see which steps failed
+#. Finish or redo the failed release steps manually
+
+.. note:: Example
+
+    **Scenario**: Publishing of the release on Github was successfully but during the PyPi release, the upload step got interrupted.
+
+    **Solution**: Manually push the package to PyPi

doc/user_guide/how_to_release.rst

@@ -212,10 +212,20 @@ def _normalize_package_name(name: str) -> str:
     return template.format(heading=heading(), rows=rows)
 
 
+def _audit(session: Session) -> None:
+    session.run("poetry", "run", "pip-audit")
+
+
 @nox.session(name="dependency:licenses", python=False)
 def dependency_licenses(session: Session) -> None:
     """returns the packages and their licenses"""
     toml = Path("pyproject.toml")
     dependencies = _dependencies(toml.read_text())
     package_infos = _licenses()
     print(_packages_to_markdown(dependencies=dependencies, packages=package_infos))
+
+
+@nox.session(name="dependency:audit", python=False)
+def audit(session: Session) -> None:
+    """Check for known vulnerabilities"""
+    _audit(session)

exasol/toolbox/nox/_dependencies.py

@@ -81,6 +81,7 @@ def check(session: Session) -> None:
 
 from exasol.toolbox.nox._dependencies import (
     dependency_licenses,
+    audit
 )
 
 # isort: on