Switch workflow event to pull_request_target and introduce labeler workflow

[annajung]

Signed-off-by: Anna Jung (VMware) antheaj@vmware.com

fixes https://github.com/SAME-Project/same-project/issues/61

• Update workflow event trigger to pull_request_target to give write access GITHUB_TOKEN to forked repos
• Add labeler workflow to add needs-ok-to-test label for all PRs which requires vetting and label ok-to-test to allow build/test workflow to trigger

Even though the labeler workflow also is given write access to label the pull request, I think that's okay based on the blog post which mentions that it's the explicit checkout of an untrusted PR that's the dangerous practice:

TL;DR: Combining pull_request_target workflow trigger with an explicit checkout of an untrusted PR is a dangerous practice that may lead to repository compromise.

I also think that someone with access needs to create the two labels (needs-ok-to-test and ok-to-test) manually before the labels can be used in the workflow.

[lukemarsden]

added labels https://github.com/SAME-Project/same-project/labels/needs-ok-to-test & https://github.com/SAME-Project/same-project/labels/ok-to-test

@annajung wanna test this out?

[lukemarsden]

hm, it broke https://github.com/SAME-Project/same-project/runs/5628253941?check_suite_focus=true, tried it fix it with: https://github.com/SAME-Project/same-project/commit/029793aaa516117f94320e0ca4fc2b759d95b4f4

but now: https://github.com/SAME-Project/same-project/runs/5628337705?check_suite_focus=true

@annajung any ideas?

[lukemarsden]

ah, trying https://github.com/SAME-Project/same-project/commit/004292cd87bba594117f29efb4b077d2cbd177a0