ci: add workflow to regenerate async-upload requirements.txt for Dependabot PRs

[jonburdo]

Dependabot updates pyproject.toml and poetry.lock but cannot run poetry export to regenerate requirements.txt, causing the "Check generated code or files are in sync" check to fail.

This adds a workflow that detects Dependabot PRs touching jobs/async-upload/poetry.lock, runs make install to regenerate requirements.txt, and commits the result.

Description

How Has This Been Tested?

Merge criteria:

• All the commits have been signed-off (To pass the DCO check)

• The commits have meaningful messages
• Automated tests are provided as part of the PR for major new functionalities; testing instructions have been added in the PR body (for PRs involving changes that are not immediately obvious).
• The developer has manually tested the changes and verified that the changes work.
• Code changes follow the kubeflow contribution guidelines.
• For first time contributors: Please reach out to the Reviewers to ensure all tests are being run, ensuring the label ok-to-test has been added to the PR.

If you have UI changes

• The developer has added tests or explained why testing cannot be added.
• Included any necessary screenshots or gifs if it was a UI change.
• Verify that UI/UX changes conform the UX guidelines for Kubeflow.

[google-oss-prow]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please ask for approval from jonburdo. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[jonburdo]

Proposal: Enable workflow re-triggering for Dependabot PRs

Problem

Dependabot PRs that update jobs/async-upload/poetry.lock fail the
"Check generated code or files are in sync" CI check because Dependabot
cannot run poetry export to regenerate requirements.txt.

A new workflow (dependabot-async-upload-regen.yml) has been added to
automatically regenerate and commit requirements.txt on Dependabot PRs.
However, commits pushed with the default GITHUB_TOKEN do not
re-trigger other workflows (GitHub's anti-cascade protection), so the
failed check still requires a manual "Re-run failed jobs" click.

Proposed solution: GitHub App token

Create a GitHub App with minimal permissions and use it in the
regeneration workflow. Commits pushed with a GitHub App token do
re-trigger workflows, making Dependabot PRs fully automated.

Setup steps

1. Create a GitHub App (requires org admin access to kubeflow):

   • Go to: https://github.com/organizations/kubeflow/settings/apps/new
   • Name: e.g., model-registry-ci-bot
   • Permissions: Contents: Read & write
   • No webhook URL needed (uncheck "Active" under Webhook)
   • Where can this GitHub App be installed? → "Only on this account"

2. Install the App on the model-registry repository only.

3. Generate a private key from the App's settings page and download it.

4. Add repo secrets (Settings → Secrets and variables → Actions):

   • CI_APP_ID — the App's numeric ID (visible on the App settings page)
   • CI_APP_PRIVATE_KEY — the contents of the downloaded .pem file

5. Update the workflow to use the App token:

   steps:
     - uses: actions/create-github-app-token@v1
       id: app-token
       with:
         app-id: ${{ secrets.CI_APP_ID }}
         private-key: ${{ secrets.CI_APP_PRIVATE_KEY }}
   
     - uses: actions/checkout@v6
       with:
         ref: ${{ github.head_ref }}
         token: ${{ steps.app-token.outputs.token }}
   
     # ... rest of workflow uses the app token for push

Alternative: Personal Access Token (PAT)

A PAT would also work but is less desirable:

• Tied to an individual's account, not the org
• Broader permissions than needed
• Requires manual rotation
• If the person leaves the org, the token breaks

A GitHub App is the recommended approach for org-owned repos.

Scope of impact

Once the App is set up, it can be reused for any future workflow that
needs to push commits that re-trigger CI (e.g., other auto-generated
files, auto-formatting PRs, etc.).

[jonburdo]

Not tested yet. Claude helped me generate the suggestion above. Any thoughts @tarilabs or others?