Add auto-upgrade workflow for embedded dependencies

[rahuldevikar]

Add a daily GitHub Actions workflow that:

• Runs tox -e upgrade to check for new pip/setuptools/wheel releases
• Automatically creates a PR with updated embedded wheels when new versions are detected
• Includes a job summary showing what changed
• Restricted to pypa org to avoid running on forks

Thanks for contributing, make sure you address all the checklists (for details on how see development documentation)

• ran the linter to address style issues (tox -e fix)
• wrote descriptive pull request text
• ensured there are test(s) validating the fix
• added news fragment in docs/changelog folder
• updated/extended the documentation

[gaborbernat]

We need to implement a slight delay window here by default to follow our delay policy: https://virtualenv.pypa.io/en/latest/explanation.html#periodic-update-mechanism

Generally we wait at least a week before we pull in a new wheel as embedded.

[gaborbernat]

We could setup a PAT to allow it to run and go through 🤔

[rahuldevikar]

I thought, it might be a security concern, but whose PAT we would use?

[gaborbernat]

Probably mine for now 🤔 We could make it optional, and hopefully at some point can setup a fine grained PAT https://discuss.python.org/t/fine-grained-pat-approvals-and-release-automation-in-pypa-projects/106197 so only has rights to this repo and not otherwise.

[gaborbernat]

Could be also interesting to see if we can use https://docs.github.com/en/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys here 🤔