[repo] Auto label PR workflow permissions fix

[CodeBlanch]

Changes

• Fix add-labels.yml so that it is able to label PRs opened from forks

Details

There is a bit of knowledge required to understand what is going on here. The pull_request trigger is special on GitHub. It is essentially executing code from untrusted sources (forks) so by default it only has read permission to everything. To label something you need write access. The pull_request_target trigger runs as the main repo and can have write permission. It also sees secrets which for this workflow is undesirable.

Info: https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#pull_request_target

What we don't want to do is execute anything from forks with a token granted under pull_request_target scope. If we did, someone could open a PR with some code to write out secrets and we would run it.

To mitigate this what this PR does is checkout the main branch (github.event.repository.default_branch) to execute the powershell to label PRs.

Here is a demo showing that whatever the user has for add-labels.psm1 in their fork is NOT run: https://github.com/CodeBlanchOrg/opentelemetry-dotnet/pull/45/files

We can see the correct branch being checked out here: https://github.com/CodeBlanchOrg/opentelemetry-dotnet/actions/runs/9453234045/job/26038183882?pr=45#step:2:170

For a standard pull_request trigger notice the merge branch is checked out: https://github.com/open-telemetry/opentelemetry-dotnet/actions/runs/9415790656/job/25937523267?pr=5647#step:2:170

Merge requirement checklist

• CONTRIBUTING guidelines followed (license requirements, nullable enabled, static analysis, etc.)

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 86.12%. Comparing base (6250307) to head (2b915a6).
Report is 256 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #5684      +/-   ##
==========================================
+ Coverage   83.38%   86.12%   +2.73%     
==========================================
  Files         297      254      -43     
  Lines       12531    11054    -1477     
==========================================
- Hits        10449     9520     -929     
+ Misses       2082     1534     -548     

Flag	Coverage Δ
unittests	?
unittests-Project-Experimental	85.98% <ø> (?)
unittests-Project-Stable	85.72% <ø> (?)
unittests-Solution	86.00% <ø> (?)
unittests-UnstableCoreLibraries-Experimental	20.13% <ø> (?)

Flags with carried forward coverage won't be shown. Click here to find out more.

see 127 files with indirect coverage changes