Added the split method for labeler workflow

[Ronitsabhaya75]

Type of Change

• Added the split approach @katiewasnothere suggested using openssf
• Added adtiional feature for colors

Motivation and Context

This can basically Help teams know what changes are made in pr

Testing

• Tested locally

Currently this is for CLI only later we can add multiple

Structure how workflow runs

 Pull Request Opened (untrusted code) 
             ↓

**pr-label-analysis.yml (Read-only)**
- Analyzes files using native git commands
- No secrets, no write permissions
- No third-party actions
- Saves to artifact
             ↓

- Artifact Storage
- PR number + labels
             ↓

**pr-label-apply.yml (Write access)**
- Never touches PR code
- Only reads artifact data
- Uses GitHub official actions only
- Applies labels via github-script

             ↓

🏷️ Labels Applied!

[katiewasnothere]

Instead of trying to encode the different label categories into the workflow job itself, maybe instead we could use the PR number parameter to actions/labeler in the label-apply workflow like this:

    - uses: actions/labeler@v6
      with:        
        pr-number: |
          1
          <PR number we got from the artifact download>

We should double check that the labeler doesn't try to read the untrusted code. But my understanding is that the action does not checkout the PR code, just analyzes based on the files that have been changed.

Note: I think it would be unsafe to read the labeler's configuration file from the PR, we might have to settle for using the configuration in main. But we should look into that as well.

[Ronitsabhaya75]

Thanks for the suggestion, Katie! I've updated the workflows to use actions/labeler@v5 with the PR number from the artifact as you recommended.

[katiewasnothere]

See #781, the top level permissions should always be the least permissive possible and any additional permissions should be set at the job level.

[Ronitsabhaya75]

I changed the permissiion to read only

[Ronitsabhaya75]

@katiewasnothere can you look at the changes I made please let me know if they are good

[katiewasnothere]

I don't think we need this. We can make them by hand for now.

[Ronitsabhaya75]

should i remvoe the colors file

[katiewasnothere]

Yes

[katiewasnothere]

Do we need to have checked out the repo to access this file?

[Ronitsabhaya75]

Yes, we need to checkout the repository to access the .github/labeler.yml configuration file. Without checkout, the workflow runner won't have access to any files from the repo, including the labeler configuration.

[katiewasnothere]

I don't see the repo being checked out in this workflow

[Ronitsabhaya75]

I think I accidentally removed it let me add it again. Thank you Katie for pointing that out.