add dependency-update workflow template (fixes #683)

[Rimsha2535]

Fixes #683

Checklist

Note: If any of the items in the checklist are not relevant to your PR, just check the box.

For any Pull Request

Is the following correct:

• the title of the Pull Request?
• the title of the corresponding issue?
• there are no other open [Pull Requests](../../../../pulls) for the same update/change?
• that the issue which this Pull Request fixes ("Fixes...") is mentioned?

When Changes Were Made

Did you:

• update the changelog?
• update the cookiecutter-template?
• update the implementation?
• check coverage and add tests: unit tests and, if relevant, integration tests?
• update the User Guide & other documentation?
• resolve any failing CI criteria (incl. Sonar quality gate)?

When Preparing a Release

Have you:

• thought about version number (major, minor, patch)?
• checked Exasol packages for updates and resolved open vulnerabilities, if easily possible?

---

Notes

• Changelog was not updated because this is an internal workflow/template change.
• No separate cookiecutter-template update was needed because the workflow template itself was updated.
• CI checks are currently failing and will be fixed.

[ArBridgeman]

You don't need to change it this time, but by convention, we normally name the branch feature/683-dependency-update-workflow.

By having the issue number in the branch name, we can better ensure that the branch name is unique. This can be helpful for locally checking out the branch as it makes it easily more identifiable.

[ArBridgeman]

workflow_dispatch usually only works if we've merged the branch to the default branch. Ideally, we'd like to test it out before then.

Was there an approach you and @kratz00 had discussed?

---

One idea is that we could use workflow_call and have .github/workflows/dependency-update.yml called by the ci.yml.

[ArBridgeman]

We can ask the users of the python-toolbox what they'd prefer.

When I'd written that we perform a check by running poetry run -- nox -s dependency:audit, I had thought we could check to see if there are vulnerabilities detected or not. If there were vulnerabilities, then we'd proceed with updating the dependencies. Otherwise, we would skip the update.

One way to do this would be to check the length of the produced JSON;

# this will both print the results & output them to a json file
poetry run -- nox -s dependency:audit | tee vulnerabilities.json

LENGTH=$(jq 'length' vulnerabilities.json)
echo "count=$LENGTH" >> $GITHUB_OUTPUT

In the next step, where we run update-dependencies, we can add an if-statement

if: steps.audit-dependencies.outputs.count > 0

[ArBridgeman]

In general, we try not to use third-party GitHub actions. This is because they can pose a security risk. Currently, we still use the a few third-party actions, like ravsamhq/notify-slack-action, as there isn't a GitHub equivalent.

So for the "Create Pull Request", we'd prefer to use the GitHub provided commands, so this should look mostly the same as:
https://github.com/exasol/project-keeper/blob/main/.github/workflows/dependencies_update.yml#L120

Though, we do not need to have as many initial checks as is provided in:
https://github.com/exasol/project-keeper/blob/main/.github/workflows/dependencies_update.yml#L132