Refactoring/92 update poetry to 2.1.2 (#93)

* Add security.md file

* Relock dependencies to resolve CVE-2025-27516 for jinja2

* Add .idea to .gitignore

* Update exasol-toolbox to 1.0.1 & related workflows

* Update poetry run <command> to poetry run -- <command> for poetry 2.1+ compatibility

* Update poetry to 2.1.2

* Switch generate_api to run project:fix command to align with ci check

---------

Co-authored-by: Tun Loakthar <[email protected]>

Author: ArBridgeman

.github/workflows/build-and-publish.yml

@@ -10,16 +10,14 @@ jobs:
 
   cd-job:
     name: Continuous Delivery
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
     steps:
 
       - name: SCM Checkout
         uses: actions/checkout@v4
 
       - name: Setup Python & Poetry Environment
-        uses: exasol/python-toolbox/.github/actions/[email protected]
-        with:
-          poetry-version: 2.0.1
+        uses: exasol/python-toolbox/.github/actions/[email protected]
 
       - name: Build Artifacts
         run: poetry build

.github/workflows/ci-cd.yml renamed to .github/workflows/cd.yml

@@ -1,4 +1,4 @@
-name: CI/CD
+name: CD
 
 on:
   push:
@@ -11,15 +11,14 @@ jobs:
     name: Check Release Tag
     uses: ./.github/workflows/check-release-tag.yml
 
-  ci-job:
-    name: Checks
-    needs: [ check-tag-version-job ]
-    uses: ./.github/workflows/checks.yml
-    secrets: inherit
-
   cd-job:
     name: Continuous Delivery
-    needs: [ ci-job ]
     uses: ./.github/workflows/build-and-publish.yml
     secrets:
       PYPI_TOKEN: ${{ secrets.PYPI_TOKEN }}
+
+  publish-docs:
+    needs: [ cd-job ]
+    name: Publish Documentation
+    uses: ./.github/workflows/gh-pages.yml
+

.github/workflows/check-api-outdated.yml

@@ -17,7 +17,7 @@ jobs:
 
   check-api-outdated:
     name: Check API Outdated
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
     strategy:
       fail-fast: false
 
@@ -26,13 +26,12 @@ jobs:
         uses: actions/checkout@v4
 
       - name: Setup Python & Poetry Environment
-        uses: exasol/python-toolbox/.github/actions/python-environment@0.20.0
+        uses: exasol/python-toolbox/.github/actions/python-environment@1.0.1
         with:
-          poetry-version: 2.0.1
           python-version: "3.10"
 
       - name: Run Nox Task api:check-outdated
-        run: poetry run nox -s api:check-outdated
+        run: poetry run -- nox -s api:check-outdated
 
       - name: Report Failure Status to Slack Channel
         if: ${{ failure() && github.event_name == 'schedule' }}

.github/workflows/check-release-tag.yml

@@ -7,16 +7,14 @@ jobs:
   check-tag-version-job:
 
     name: Check Tag Version
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
 
     steps:
       - name: SCM Checkout
         uses: actions/checkout@v4
 
       - name: Setup Python & Poetry Environment
-        uses: exasol/python-toolbox/.github/actions/[email protected]
-        with:
-          poetry-version: 2.0.1
+        uses: exasol/python-toolbox/.github/actions/[email protected]
 
       - name: Check Tag Version
         # make sure the pushed/created tag matched the project version

.github/workflows/checks.yml

@@ -1,12 +1,13 @@
 name: Checks
 
-on: workflow_call
+on:
+  workflow_call:
 
 jobs:
 
-  version-check-job:
-    name: Version Check
-    runs-on: ubuntu-latest
+  Version-Check:
+    name: Version
+    runs-on: ubuntu-24.04
 
     steps:
       - name: SCM Checkout
@@ -15,82 +16,142 @@ jobs:
           fetch-depth: 0
 
       - name: Setup Python & Poetry Environment
-        uses: exasol/python-toolbox/.github/actions/[email protected]
-        with:
-          poetry-version: 2.0.1
+        uses: exasol/python-toolbox/.github/actions/[email protected]
 
       - name: Check Version(s)
-        run: poetry run version-check version.py
+        run: poetry run -- version-check version.py
 
-  build-documentation-job:
-    name: Build Documentation
-    needs: [version-check-job]
-    runs-on: ubuntu-latest
+  Documentation:
+    name: Docs
+    needs: [ Version-Check ]
+    runs-on: ubuntu-24.04
 
     steps:
       - name: SCM Checkout
         uses: actions/checkout@v4
 
       - name: Setup Python & Poetry Environment
-        uses: exasol/python-toolbox/.github/actions/[email protected]
-        with:
-          poetry-version: 2.0.1
+        uses: exasol/python-toolbox/.github/actions/[email protected]
 
       - name: Build Documentation
         run: |
-          poetry run python -m nox -s docs:build
+          poetry run -- nox -s docs:build
+
+  build-matrix:
+    name: Generate Build Matrix
+    uses: ./.github/workflows/matrix-python.yml
+
+  Changelog:
+    name: Changelog Update Check
+    runs-on: ubuntu-24.04
+    if: ${{ github.ref != 'refs/heads/main' && github.ref != 'refs/heads/master' }}
+
+    steps:
+      - name: SCM Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup Python & Poetry Environment
+        uses: exasol/python-toolbox/.github/actions/[email protected]
+
+      - name: Run changelog update check
+        run: poetry run -- nox -s changelog:updated
 
-  lint-job:
+  Lint:
     name: Linting (Python-${{ matrix.python-version }})
-    needs: [version-check-job]
-    runs-on: ubuntu-latest
+    needs: [ Version-Check, build-matrix ]
+    runs-on: ubuntu-24.04
     strategy:
       fail-fast: false
-      matrix:
-        python-version: ["3.10"]
+      matrix: ${{ fromJson(needs.build-matrix.outputs.matrix) }}
 
     steps:
       - name: SCM Checkout
         uses: actions/checkout@v4
 
       - name: Setup Python & Poetry Environment
-        uses: exasol/python-toolbox/.github/actions/python-environment@0.20.0
+        uses: exasol/python-toolbox/.github/actions/python-environment@1.0.1
         with:
-          poetry-version: 2.0.1
           python-version: ${{ matrix.python-version }}
 
-      - name: Run Tests
-        run: poetry run nox -s lint:code
+      - name: Run lint
+        run: poetry run -- nox -s lint:code
 
-  type-check-job:
+      - name: Upload Artifacts
+        uses: actions/[email protected]
+        with:
+          name: lint-python${{ matrix.python-version }}
+          path: |
+            .lint.txt
+            .lint.json
+          include-hidden-files: true
+
+  Type-Check:
     name: Type Checking (Python-${{ matrix.python-version }})
-    needs: [version-check-job]
-    runs-on: ubuntu-latest
+    needs: [ Version-Check, build-matrix ]
+    runs-on: ubuntu-24.04
     strategy:
       fail-fast: false
-      matrix:
-        python-version: ["3.10"]
+      matrix: ${{ fromJson(needs.build-matrix.outputs.matrix) }}
 
     steps:
       - name: SCM Checkout
         uses: actions/checkout@v4
 
       - name: Setup Python & Poetry Environment
-        uses: exasol/python-toolbox/.github/actions/python-environment@0.20.0
+        uses: exasol/python-toolbox/.github/actions/python-environment@1.0.1
         with:
-          poetry-version: 2.0.1
           python-version: ${{ matrix.python-version }}
 
-      - name: Run Tests
-        run: poetry run nox -s lint:typing
+      - name: Run type-check
+        run: poetry run -- nox -s lint:typing
+
+  Security:
+    name: Security Checks (Python-${{ matrix.python-version }})
+    needs: [ Version-Check, build-matrix ]
+    runs-on: ubuntu-24.04
+    strategy:
+      fail-fast: false
+      matrix: ${{ fromJson(needs.build-matrix.outputs.matrix) }}
+
+    steps:
+      - name: SCM Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup Python & Poetry Environment
+        uses: exasol/python-toolbox/.github/actions/[email protected]
+        with:
+          python-version: ${{ matrix.python-version }}
+
+      - name: Run security linter
+        run: poetry run -- nox -s lint:security
+
+      - name: Upload Artifacts
+        uses: actions/[email protected]
+        with:
+          name: security-python${{ matrix.python-version }}
+          path: .security.json
+          include-hidden-files: true
+
+  Format:
+    name: Format Check
+    runs-on: ubuntu-24.04
+
+    steps:
+      - name: SCM Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup Python & Poetry Environment
+        uses: exasol/python-toolbox/.github/actions/[email protected]
+
+      - name: Run format check
+        run: poetry run -- nox -s project:format
 
   tests-job:
     name: Tests (Python-${{ matrix.python-version }})
-    needs: [build-documentation-job, lint-job, type-check-job]
+    needs: [ Documentation, Lint, Type-Check, Security, Format, build-matrix ]
     strategy:
       fail-fast: false
-      matrix:
-        python-version: ["3.10"]
+      matrix: ${{ fromJson(needs.build-matrix.outputs.matrix) }}
     uses: ./.github/workflows/run-tests.yml
     secrets: inherit
     with:

.github/workflows/ci.yml

@@ -1,7 +1,12 @@
 name: CI
 
 on:
-  pull_request:
+  push:
+    branches-ignore:
+      - "github-pages/*"
+      - "gh-pages/*"
+      - "main"
+      - "master"
 
 jobs:
 
@@ -17,14 +22,14 @@ jobs:
   gate-1:
     name: Gate 1 - Regular CI
     needs: [ ci-job ]
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
     steps:
       - name: Branch Protection
         run: true
 
   slow-test-detection:
     name: Run Slow or Expensive Tests (e.g. SaaS)?
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
     steps:
       - name: Detect Slow Tests
         run: true
@@ -42,7 +47,7 @@ jobs:
 
   gate-2:
     name: Gate 2 - Allow Merge
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
     needs: [ run-slow-tests ]
     steps:
       - name: Branch Protection

.github/workflows/gh-pages.yml

@@ -1,27 +1,29 @@
 name: Publish Documentation
 
-on: workflow_call
+on:
+  workflow_call:
+  workflow_dispatch:
 
 jobs:
 
   documentation-job:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
 
     steps:
       - name: SCM Checkout
         uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
 
       - name: Setup Python & Poetry Environment
-        uses: exasol/python-toolbox/.github/actions/[email protected]
-        with:
-          poetry-version: 2.0.1
+        uses: exasol/python-toolbox/.github/actions/[email protected]
 
       - name: Build Documentation
         run: |
-          poetry run python -m nox -s docs:build
+          poetry run -- nox -s docs:multiversion
 
       - name: Deploy
-        uses: JamesIves/github-pages-deploy-action@v4.4.1
+        uses: JamesIves/github-pages-deploy-action@v4.7.2
         with:
           branch: gh-pages
           folder: .html-documentation

.github/workflows/matrix-python.yml

@@ -0,0 +1,30 @@
+name: Build Matrix (Python)
+
+on:
+  workflow_call:
+    outputs:
+      matrix:
+        description: "Generates the python version build matrix"
+        value: ${{ jobs.python_versions.outputs.matrix }}
+
+jobs:
+  python_versions:
+
+    runs-on: ubuntu-24.04
+
+    steps:
+      - name: SCM Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup Python & Poetry Environment
+        uses: exasol/python-toolbox/.github/actions/[email protected]
+
+      - name: Generate matrix
+        run: poetry run -- nox -s matrix:python
+
+      - id: set-matrix
+        run: |
+          echo "matrix=$(poetry run -- nox -s matrix:python)" >> $GITHUB_OUTPUT
+
+    outputs:
+      matrix: ${{ steps.set-matrix.outputs.matrix }}