Security/relock dependencies for tornado and setuptools (#579)

* Update to exasol-toolbox 1.3.0
  * Remove dependencies which are used in the toolbox itself
  * Update pre-commit hook to correct nox tasks
  * Get rid of version check as duplicate to PTB

* Reduce mypy scope to areas with specific issues

* Update workflows to exasol-toolbox to 1.3.0

* Update locked dependencies to resolve CVE-2025-47287 & CVE-2025-47273

Author: ArBridgeman

.github/workflows/build-and-publish.yml

@@ -11,13 +11,14 @@ jobs:
   cd-job:
     name: Continuous Delivery
     runs-on: ubuntu-24.04
+    permissions:
+      contents: write
     steps:
-
       - name: SCM Checkout
         uses: actions/checkout@v4
 
       - name: Setup Python & Poetry Environment
-        uses: exasol/python-toolbox/.github/actions/python-environment@1.0.1
+        uses: exasol/python-toolbox/.github/actions/python-environment@1.3.0
 
       - name: Build Artifacts
         run: poetry build

.github/workflows/cd.yml

@@ -10,15 +10,23 @@ jobs:
   check-tag-version-job:
     name: Check Release Tag
     uses: ./.github/workflows/check-release-tag.yml
+    permissions:
+      contents: read
 
   cd-job:
     name: Continuous Delivery
     uses: ./.github/workflows/build-and-publish.yml
+    permissions:
+      contents: write
     secrets:
       PYPI_TOKEN: ${{ secrets.PYPI_TOKEN }}
 
   publish-docs:
     needs: [ cd-job ]
     name: Publish Documentation
     uses: ./.github/workflows/gh-pages.yml
+    permissions:
+      contents: read
+      pages: write
+      id-token: write
 

.github/workflows/check-release-tag.yml

@@ -1,20 +1,21 @@
 name: Check Release Tag
 
-on: workflow_call
+on:
+  workflow_call:
 
 jobs:
 
   check-tag-version-job:
-
     name: Check Tag Version
     runs-on: ubuntu-24.04
-
+    permissions:
+      contents: read
     steps:
       - name: SCM Checkout
         uses: actions/checkout@v4
 
       - name: Setup Python & Poetry Environment
-        uses: exasol/python-toolbox/.github/actions/python-environment@1.0.1
+        uses: exasol/python-toolbox/.github/actions/python-environment@1.3.0
 
       - name: Check Tag Version
         # make sure the pushed/created tag matched the project version

.github/workflows/checks.yml

@@ -4,35 +4,35 @@ on:
   workflow_call:
 
 jobs:
-
   Version-Check:
     name: Version
     runs-on: ubuntu-24.04
-
+    permissions:
+      contents: read
     steps:
       - name: SCM Checkout
         uses: actions/checkout@v4
         with:
           fetch-depth: 0
 
       - name: Setup Python & Poetry Environment
-        uses: exasol/python-toolbox/.github/actions/python-environment@1.0.1
+        uses: exasol/python-toolbox/.github/actions/python-environment@1.3.0
 
       - name: Check Version(s)
-        run: |
-          poetry run version-check `poetry run -- python -c "from noxconfig import PROJECT_CONFIG; print(PROJECT_CONFIG.version_file)"`
+        run: poetry run -- nox -s version:check
 
   Documentation:
     name: Docs
     needs: [ Version-Check ]
     runs-on: ubuntu-24.04
-
+    permissions:
+      contents: read
     steps:
       - name: SCM Checkout
         uses: actions/checkout@v4
 
       - name: Setup Python & Poetry Environment
-        uses: exasol/python-toolbox/.github/actions/python-environment@1.0.1
+        uses: exasol/python-toolbox/.github/actions/python-environment@1.3.0
 
       - name: Build Documentation
         run: |
@@ -41,18 +41,21 @@ jobs:
   build-matrix:
     name: Generate Build Matrix
     uses: ./.github/workflows/matrix-python.yml
+    permissions:
+      contents: read
 
   Changelog:
     name: Changelog Update Check
     runs-on: ubuntu-24.04
+    permissions:
+      contents: read
     if: ${{ github.ref != 'refs/heads/main' && github.ref != 'refs/heads/master' }}
-
     steps:
       - name: SCM Checkout
         uses: actions/checkout@v4
 
       - name: Setup Python & Poetry Environment
-        uses: exasol/python-toolbox/.github/actions/python-environment@1.0.1
+        uses: exasol/python-toolbox/.github/actions/python-environment@1.3.0
 
       - name: Run changelog update check
         run: poetry run -- nox -s changelog:updated
@@ -61,24 +64,25 @@ jobs:
     name: Linting (Python-${{ matrix.python-version }})
     needs: [ Version-Check, build-matrix ]
     runs-on: ubuntu-24.04
+    permissions:
+      contents: read
     strategy:
       fail-fast: false
       matrix: ${{ fromJson(needs.build-matrix.outputs.matrix) }}
-
     steps:
       - name: SCM Checkout
         uses: actions/checkout@v4
 
       - name: Setup Python & Poetry Environment
-        uses: exasol/python-toolbox/.github/actions/python-environment@1.0.1
+        uses: exasol/python-toolbox/.github/actions/python-environment@1.3.0
         with:
           python-version: ${{ matrix.python-version }}
 
       - name: Run lint
         run: poetry run -- nox -s lint:code
 
       - name: Upload Artifacts
-        uses: actions/[email protected].0
+        uses: actions/[email protected].2
         with:
           name: lint-python${{ matrix.python-version }}
           path: |
@@ -90,6 +94,8 @@ jobs:
     name: Type Checking (Python-${{ matrix.python-version }})
     needs: [ Version-Check, build-matrix ]
     runs-on: ubuntu-24.04
+    permissions:
+      contents: read
     strategy:
       fail-fast: false
       matrix: ${{ fromJson(needs.build-matrix.outputs.matrix) }}
@@ -99,7 +105,7 @@ jobs:
         uses: actions/checkout@v4
 
       - name: Setup Python & Poetry Environment
-        uses: exasol/python-toolbox/.github/actions/python-environment@1.0.1
+        uses: exasol/python-toolbox/.github/actions/python-environment@1.3.0
         with:
           python-version: ${{ matrix.python-version }}
 
@@ -110,6 +116,8 @@ jobs:
     name: Security Checks (Python-${{ matrix.python-version }})
     needs: [ Version-Check, build-matrix ]
     runs-on: ubuntu-24.04
+    permissions:
+      contents: read
     strategy:
       fail-fast: false
       matrix: ${{ fromJson(needs.build-matrix.outputs.matrix) }}
@@ -119,15 +127,15 @@ jobs:
         uses: actions/checkout@v4
 
       - name: Setup Python & Poetry Environment
-        uses: exasol/python-toolbox/.github/actions/python-environment@1.0.1
+        uses: exasol/python-toolbox/.github/actions/python-environment@1.3.0
         with:
           python-version: ${{ matrix.python-version }}
 
       - name: Run security linter
         run: poetry run -- nox -s lint:security
 
       - name: Upload Artifacts
-        uses: actions/[email protected].0
+        uses: actions/[email protected].2
         with:
           name: security-python${{ matrix.python-version }}
           path: .security.json
@@ -136,21 +144,24 @@ jobs:
   Format:
     name: Format Check
     runs-on: ubuntu-24.04
-
+    permissions:
+      contents: read
     steps:
       - name: SCM Checkout
         uses: actions/checkout@v4
 
       - name: Setup Python & Poetry Environment
-        uses: exasol/python-toolbox/.github/actions/python-environment@1.0.1
+        uses: exasol/python-toolbox/.github/actions/python-environment@1.3.0
 
       - name: Run format check
         run: poetry run -- nox -s project:format
 
   Tests:
-    name: Unit-Tests (Python-${{ matrix.python-version }}, Exasol-${{ matrix.exasol-version}})
+    name: Unit-Tests (Python-${{ matrix.python-version }})
     needs: [ Documentation, Lint, Type-Check, Security, Format, build-matrix ]
     runs-on: ubuntu-24.04
+    permissions:
+      contents: read
     env:
       GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
     strategy:
@@ -162,15 +173,15 @@ jobs:
         uses: actions/checkout@v4
 
       - name: Setup Python & Poetry Environment
-        uses: exasol/python-toolbox/.github/actions/python-environment@1.0.1
+        uses: exasol/python-toolbox/.github/actions/python-environment@1.3.0
         with:
           python-version: ${{ matrix.python-version }}
 
       - name: Run Tests and Collect Coverage
         run: poetry run -- nox -s test:unit -- --coverage
 
       - name: Upload Artifacts
-        uses: actions/[email protected].0
+        uses: actions/[email protected].2
         with:
           name: coverage-python${{ matrix.python-version }}-fast
           path: .coverage

.github/workflows/ci.yml

@@ -8,15 +8,19 @@ on:
       - "main"
       - "master"
   schedule:
-    # “At 00:00 on every 7th day-of-month from 1 through 31.” (https://crontab.guru)
+    # "At 00:00 on every 7th day-of-month from 1 through 31." (https://crontab.guru)
     - cron: "0 0 1/7 * *"
 
 jobs:
 
   CI:
     uses: ./.github/workflows/merge-gate.yml
     secrets: inherit
+    permissions:
+      contents: read
 
   Metrics:
     needs: [ CI ]
     uses: ./.github/workflows/report.yml
+    permissions:
+      contents: read

.github/workflows/gh-pages.yml

@@ -6,26 +6,40 @@ on:
 
 jobs:
 
-  documentation-job:
+  build-documentation:
     runs-on: ubuntu-24.04
-
+    permissions:
+      contents: read
     steps:
       - name: SCM Checkout
         uses: actions/checkout@v4
         with:
           fetch-depth: 0
 
       - name: Setup Python & Poetry Environment
-        uses: exasol/python-toolbox/.github/actions/python-environment@1.0.1
+        uses: exasol/python-toolbox/.github/actions/python-environment@1.3.0
 
       - name: Build Documentation
         run: |
           poetry run -- nox -s docs:multiversion
+          rm -r .html-documentation/*/.doctrees
 
-      - name: Deploy
-        uses: JamesIves/github-pages-[email protected]
+      - name: Upload artifact
+        uses: actions/upload-pages-artifact@v3
         with:
-          branch: gh-pages
-          folder: .html-documentation
-          git-config-name: Github Action
-          git-config-email: [email protected]
+          path: .html-documentation
+
+  deploy-documentation:
+    needs: [ build-documentation ]
+    permissions:
+      contents: read
+      pages: write
+      id-token: write
+    environment:
+      name: github-pages
+      url: ${{ steps.deployment.outputs.page_url }}
+    runs-on: ubuntu-24.04
+    steps:
+      - name: Deploy to GitHub Pages
+        id: deployment
+        uses: actions/deploy-pages@v4

.github/workflows/matrix-all.yml

@@ -9,15 +9,15 @@ on:
 
 jobs:
   all_versions:
-
     runs-on: ubuntu-24.04
-
+    permissions:
+      contents: read
     steps:
       - name: SCM Checkout
         uses: actions/checkout@v4
 
       - name: Setup Python & Poetry Environment
-        uses: exasol/python-toolbox/.github/actions/python-environment@1.0.1
+        uses: exasol/python-toolbox/.github/actions/python-environment@1.3.0
 
       - name: Generate matrix
         run: poetry run -- nox -s matrix:all

.github/workflows/matrix-exasol.yml

@@ -9,15 +9,15 @@ on:
 
 jobs:
   exasol_versions:
-
     runs-on: ubuntu-24.04
-
+    permissions:
+      contents: read
     steps:
       - name: SCM Checkout
         uses: actions/checkout@v4
 
       - name: Setup Python & Poetry Environment
-        uses: exasol/python-toolbox/.github/actions/python-environment@1.0.1
+        uses: exasol/python-toolbox/.github/actions/python-environment@1.3.0
 
       - name: Generate matrix
         run: poetry run -- nox -s matrix:exasol

.github/workflows/matrix-python.yml

@@ -9,15 +9,15 @@ on:
 
 jobs:
   python_versions:
-
     runs-on: ubuntu-24.04
-
+    permissions:
+      contents: read
     steps:
       - name: SCM Checkout
         uses: actions/checkout@v4
 
       - name: Setup Python & Poetry Environment
-        uses: exasol/python-toolbox/.github/actions/python-environment@1.0.1
+        uses: exasol/python-toolbox/.github/actions/python-environment@1.3.0
 
       - name: Generate matrix
         run: poetry run -- nox -s matrix:python