CI labeler switched to pull_request_target, granting write context to fork PR runs

What this changes for operators

• Contributors and maintainers should note the PR-size labeler now runs under pull_request_target, which executes in the base-repo context with write-capable token access on fork PRs.
• This is the classic pwn-request surface: pull_request_target with any checkout or execution of fork-controlled content can leak the elevated token; operators forking or auditing the repo's CI should confirm the workflow does not check out and run untrusted PR code.
• Verification path: .github/workflows/pr-size-labeler.yml line 4 trigger change from pull_request to pull_request_target.
• Single decision for the repo-security auditor: review this workflow's token scope and whether it touches fork-controlled inputs.