Draft: automate weekly cross-repo dependency alert sync

[ihalatci]

Summary

Implements weekly cross-repo dependency alert orchestration (Sunday 02:00 UTC) using packagingApp credentials, with manual approval/merge kept in place.

What this adds

• Orchestrator workflow in the-process:
  • .github/workflows/dependency-security-sync.yml
  • Runs weekly and on manual dispatch
  • Reads open Dependabot alerts from citus
  • Updates citus Pipfiles/lockfiles and regenerates the-process requirements
  • Opens/updates consolidated PRs and closes superseded Dependabot PRs
• Post-merge callback workflow:
  • .github/workflows/dependency-security-post-merge.yml
  • On merge of the-process sync PR to master, computes postfix from merged commit SHA
  • Updates image_suffix in citus/.github/workflows/build_and_test.yml on sync branch
• Sync script:
  • .github/scripts/security_sync.py
  • Generalized to apply all alert-derived patched package versions (not hardcoded to specific packages)

Reviewer notes (based on requested corrections)

1. Dependency handling generalized: no package-specific hardcoding; alert payload drives updates.
2. Image postfix source fixed: uses merged the-process commit SHA (-v<sha7>) and patches citus image_suffix.
3. Dependabot schedule untouched: orchestration schedule is weekly Sunday 02:00 UTC; Dependabot detection cadence is not redefined by this PR.

Operational assumptions

• Secrets available in the-process repo:
  • PACKAGING_APP_ID
  • PACKAGING_APP_PRIVATE_KEY
• Branches used by automation:
  • automation/dependency-security-sync

Open point for follow-up

• If desired, Dependabot PR creation suppression should be enforced in repository settings/policy (workflow can still close PRs if any are created).