Python: track dependency maintenance PR creation

[eavanvalkenburg]

Motivation & Context

The Python dependency maintenance workflow now validates and pushes generated dependency updates, but repository policy prevents GitHub Actions from creating pull requests. The current publishing step fails after successfully updating automation/python-dependency-maintenance, leaving a failed workflow even though the useful automation completed.

This keeps the workflow within the allowed permissions boundary by publishing a tracking issue with manual PR creation instructions instead of trying to create the PR from Actions.

Description & Review Guide

• What are the major changes? Replace the final gh pr create/edit step with a GitHub Script step that creates or updates a stable tracking issue for the generated dependency-maintenance branch.
• What is the impact of these changes? The workflow can complete successfully after pushing validated dependency updates, and maintainers get the branch SHA, compare link, run URL, generated PR body, and ready-to-run gh pr create command inline in the issue.
• What do you want reviewers to focus on? Confirm the new issue body contains enough information for a maintainer to create the PR manually, and that token scope remains limited to issue creation/update.

Related Issue

No linked issue; this fixes a scheduled/manual Python dependency maintenance workflow failure observed after #6662.

Contribution Checklist

• The code builds clean without any errors or warnings
• All unit tests pass, and I have added new tests where possible
• The PR follows the Contribution Guidelines
• This PR is linked to an issue and there is no other open PR for this issue (see Related Issue above).
• This is not a breaking change. If it is a breaking change, add the breaking change label (or add "[BREAKING]" to the title prefix, before or after any language prefix) — a workflow keeps the label and title prefix in sync automatically.

[github-actions]

Automated Code Review

Reviewers: 5 | Confidence: 92%

✓ Correctness

The PR correctly replaces the gh pr create/edit step with a GitHub Script step that creates or updates a tracking issue. The logic is sound: it fetches the branch SHA, constructs informative issue content with manual PR creation instructions, then either updates an existing issue or creates a new one. The pull-requests: write permission removal is consistent with the new behavior. No correctness bugs found.

✓ Security Reliability

This change reduces token permissions by removing pull-requests: write and replaces direct PR creation with a tracking issue. The script uses hardcoded strings and GitHub context values (no user-controlled input flows into the issue body), the action is SHA-pinned, and the overall security posture is improved through permission reduction. No injection risks, resource leaks, or unhandled failure modes were identified.

✓ Test Coverage

This PR modifies a GitHub Actions workflow file (.github/workflows/python-dependency-maintenance.yml) to replace a gh pr create/edit CLI step with a github-script step that creates/updates a tracking issue. This is purely CI infrastructure code—inline JavaScript in a YAML workflow file—for which no test harness exists in the repository, nor is one standard practice for GitHub Actions workflows. There are no application code changes that would require new unit or integration tests. The existing test suites (python-tests, python-merge-tests, etc.) are unaffected by this change.

✓ Failure Modes

The change replaces a gh pr create/edit shell step with a GitHub Script step that creates/updates a tracking issue. The script has no try/catch, but this is appropriate since unhandled errors in actions/github-script cause visible step failures rather than silent ones. The concurrency group prevents race conditions between concurrent runs. The getRef call is guarded by the has_changes == 'true' condition which is only set after a successful push, ensuring the branch exists. No concrete silent failure paths, swallowed exceptions, or partial-write issues were identified.

✓ Design Approach

The workflow change is directionally sound and stays within the tighter token scope, but the new tracking-issue flow leaves one design gap: the generated gh pr create command still uses a PR body that says there is no linked issue, even though this workflow just created or updated one. That means the replacement path is not actually "ready to run" without a manual edit to fix the PR metadata.

Suggestions

• Populate the generated PR body with the tracking issue number (after resolving existingIssue/createdIssue) so the gh pr create command assembled at lines 372–380 produces a PR that references the tracking issue instead of stating "No linked issue" with an unchecked checklist item at line 367.

---

Automated review by eavanvalkenburg's agents

[Copilot]

Pull request overview

This PR updates the Python dependency maintenance workflow to stop attempting PR creation (blocked by repo policy) and instead publish a tracking issue with all the information needed for a maintainer to create the PR manually.

Changes:

• Removed pull-requests: write permission and replaced the final gh pr create/edit step with an actions/github-script step.
• The workflow now creates/updates a “Python dependency maintenance PR needed” issue containing the branch SHA, compare link, run URL, generated PR body, and a ready-to-run gh pr create command.