add dependency-update workflow template (fixes #683)

[Rimsha2535]

Fixes #683

Checklist

Note: If any of the items in the checklist are not relevant to your PR, just check the box.

For any Pull Request

Is the following correct:

• the title of the Pull Request?
• the title of the corresponding issue?
• there are no other open [Pull Requests](../../../../pulls) for the same update/change?
• that the issue which this Pull Request fixes ("Fixes...") is mentioned?

When Changes Were Made

Did you:

• update the changelog?
• update the cookiecutter-template?
• update the implementation?
• check coverage and add tests: unit tests and, if relevant, integration tests?
• update the User Guide & other documentation?
• resolve any failing CI criteria (incl. Sonar quality gate)?

When Preparing a Release

Have you:

• thought about version number (major, minor, patch)?
• checked Exasol packages for updates and resolved open vulnerabilities, if easily possible?

---

Notes

• Changelog was not updated because this is an internal workflow/template change.
• No separate cookiecutter-template update was needed because the workflow template itself was updated.
• CI checks are currently failing and will be fixed.

[ArBridgeman]

We can ask the users of the python-toolbox what they'd prefer.

When I'd written that we perform a check by running poetry run -- nox -s dependency:audit, I had thought we could check to see if there are vulnerabilities detected or not. If there were vulnerabilities, then we'd proceed with updating the dependencies. Otherwise, we would skip the update.

One way to do this would be to check the length of the produced JSON;

# this will both print the results & output them to a json file
poetry run -- nox -s dependency:audit | tee vulnerabilities.json

LENGTH=$(jq 'length' vulnerabilities.json)
echo "count=$LENGTH" >> $GITHUB_OUTPUT

In the next step, where we run update-dependencies, we can add an if-statement

if: steps.audit-dependencies.outputs.count > 0

[ArBridgeman]

In general, we try not to use third-party GitHub actions. This is because they can pose a security risk. Currently, we still use the a few third-party actions, like ravsamhq/notify-slack-action, as there isn't a GitHub equivalent.

So for the "Create Pull Request", we'd prefer to use the GitHub provided commands, so this should look mostly the same as:
https://github.com/exasol/project-keeper/blob/main/.github/workflows/dependencies_update.yml#L120

Though, we do not need to have as many initial checks as is provided in:
https://github.com/exasol/project-keeper/blob/main/.github/workflows/dependencies_update.yml#L132

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud