Create adr-labeler workflow

[jonchurch]

Related to #296 (comment)

Will label any PR that touches the adr dir w/ ADR label

[bjohansebas]

I like it, although I'm sure it will give an error like in expressjs/expressjs.com#1553

[jonchurch]

Right, default token perms are read on prs

I think it needs this update

permissions:
  pull-requests: write
  issues: write

[bjohansebas]

I still think it wouldn't work, we tried that in expressjs/expressjs.com#1557 and it didn't work. The only way we believe might work, although we haven't tested it yet, is by creating a token with the permissions as attempted in expressjs/expressjs.com#1642.

[jonchurch]

Ah, it's the permission model for forks mucking that up in the linked issue.

See the docs for GH_TOKEN perms, there's a note about this at the bottom.

I'll push an update to allow this to run based on PRs from forks.

[jonchurch]

After looking into this, idk that there's a safe way to do this tbh. We can use pull_request_target to give forks the right permissions, but then they could possibly leak the token w/ those elevated perms. Same w/ the PAT approach, could trigger a workflow run, alter the workflow file in the PR, leak the token.

The original PR works as long as folks aren't opening PRs based on forks, but creating branches here in the repo.

A github bot or github app might be the safest way to do this, can edit the PRs w/o having elevated permissions in a workflow file that can be altered by PRs coming from forks.

TIL: the permission model of GHA is pretty wild

[wesleytodd]

Can we change the name to RFC? I thought we had discussed that, but maybe with this new automation it is the time to do it?