add dependency-update workflow template (fixes #683)

[Rimsha2535]

Fixes #683

Checklist

Note: If any of the items in the checklist are not relevant to your PR, just check the box.

For any Pull Request

Is the following correct:

• the title of the Pull Request?
• the title of the corresponding issue?
• there are no other open [Pull Requests](../../../../pulls) for the same update/change?
• that the issue which this Pull Request fixes ("Fixes...") is mentioned?

When Changes Were Made

Did you:

• update the changelog?
• update the cookiecutter-template?
• update the implementation?
• check coverage and add tests: unit tests and, if relevant, integration tests?
• update the User Guide & other documentation?
• resolve any failing CI criteria (incl. Sonar quality gate)?

When Preparing a Release

Have you:

• thought about version number (major, minor, patch)?
• checked Exasol packages for updates and resolved open vulnerabilities, if easily possible?

---

Notes

• Changelog was not updated because this is an internal workflow/template change.
• No separate cookiecutter-template update was needed because the workflow template itself was updated.
• CI checks are currently failing and will be fixed.

[ArBridgeman]

The GitHub workflow code looked good, but it's always good test, so here are those tests done via
another branch (nearly identical to this one):

Use cases:

1. ✅ No vulnerability detected, so no update
   https://github.com/exasol/python-toolbox/actions/runs/24443525540/job/71414050584
2. ✅ Vulnerability detected, do an update, & create PR
   https://github.com/exasol/python-toolbox/actions/runs/24444147768/job/71416082184

Example PR:
#780

Like @ckunki said, we likely need to modify this text more to tell the user what to do. But it sounds like this would be done in a later effort.

[ckunki]

Added 2 comments

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
100.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[ArBridgeman]

duplicate field

Suggested change

status: '${{ job.status }}',

[ArBridgeman]

duplicate field

Suggested change

token: '${{ secrets.GITHUB_TOKEN }}',

[ArBridgeman]

duplicate field

Suggested change

notification_title: 'Dependency update for {repo} created a Pull Request',

[ArBridgeman]

not needed

Suggested change

pr_url=$(gh pr create \

[ArBridgeman]

not needed

Suggested change

--base "$BASE_BRANCH" \

[ArBridgeman]

not needed

Suggested change

--title "Update dependencies to fix vulnerabilities ($(date '+%Y-%m-%d'))" \

[ArBridgeman]

not needed

Suggested change

--body "Automated dependency update for \`poetry.lock\`.)

[ArBridgeman]

not needed

Suggested change

echo "pr_url=$pr_url" >> "$GITHUB_OUTPUT"

[ArBridgeman]

not needed

Suggested change

- \`poetry update\`"

[ArBridgeman]

not needed

Suggested change

- \`poetry run -- nox -s dependency:audit\`

[ArBridgeman]

not needed

Suggested change

This PR was created by the dependency update workflow after running:

[ckunki]

Why has this been removed, now?

[Rimsha2535]

@ckunki Sorry, there was a merge conflict in that file and I think this line was accidentally removed while resolving it.

[ArBridgeman]

Thanks, this shouldn't be removed. It's related to the PTB not fully supporting GitHub workflow changes.
So the poetry run -- nox -s workflow:generate -- all overwrites & we need to manually ensure it stays 😿
@Rimsha2535 lmk if you want to pair briefly on this one.