fix(ci): Add secure PR labeler workflow with v5 config

.github/README.md

@@ -0,0 +1,23 @@
+# GitHub Actions Workflows
+
+## PR Labeler
+
+The PR Labeler workflow automatically applies labels to pull requests based on the files changed.
+
+### Security Considerations
+
+This implementation addresses security concerns identified in similar workflows:
+
+1. **Uses `pull_request` instead of `pull_request_target`**: The workflow uses the `pull_request` event to avoid security risks associated with running untrusted code from PRs with elevated permissions. This is the recommended approach for labeling workflows.
+
+2. **No checkout of untrusted code**: By using the `pull_request` event, the workflow automatically checks out the base branch, avoiding the security risk of executing potentially malicious code from PRs.
+
+3. **Fork compatibility**: Works correctly with PRs from forked repositories without requiring special configuration.
+
+### Configuration
+
+Labels are automatically applied based on file patterns defined in `.github/labeler.yml`. The configuration uses the actions/labeler@v5 schema with array matchers.
+
+Available labels:
+- Module labels: `api`, `bloom-filter`, `config`, `consensus`, `core`, `crypto`, `distributed-ledger`, `erasure-code`, `network`, `protocol`, `shared-resources`, `trie`, `util`
+- Functional labels: `documentation`, `ci`, `docker`, `build`, `tests`

.github/labeler.yml

@@ -0,0 +1,92 @@
+# GitHub Actions Labeler configuration for actions/labeler@v5
+# This configuration uses the v5 schema with array matchers
+
+# Module-specific labels
+api:
+  - changed-files:
+    - any-glob-to-any-file: 'adrestus-api/**/*'
+
+bloom-filter:
+  - changed-files:
+    - any-glob-to-any-file: 'adrestus-bloom-filter/**/*'
+
+config:
+  - changed-files:
+    - any-glob-to-any-file: 'adrestus-config/**/*'
+
+consensus:
+  - changed-files:
+    - any-glob-to-any-file: 'adrestus-consensus/**/*'
+
+core:
+  - changed-files:
+    - any-glob-to-any-file: 'adrestus-core/**/*'
+
+crypto:
+  - changed-files:
+    - any-glob-to-any-file: 'adrestus-crypto/**/*'
+
+distributed-ledger:
+  - changed-files:
+    - any-glob-to-any-file: 'adrestus-distributed-ledger/**/*'
+
+erasure-code:
+  - changed-files:
+    - any-glob-to-any-file: 'adrestus-erasure-code/**/*'
+
+network:
+  - changed-files:
+    - any-glob-to-any-file: 'adrestus-network/**/*'
+
+protocol:
+  - changed-files:
+    - any-glob-to-any-file: 'adrestus-protocol/**/*'
+
+shared-resources:
+  - changed-files:
+    - any-glob-to-any-file: 'adrestus-shared-resources/**/*'
+
+trie:
+  - changed-files:
+    - any-glob-to-any-file: 'adrestus-trie/**/*'
+
+util:
+  - changed-files:
+    - any-glob-to-any-file: 'adrestus-util/**/*'
+
+# Documentation labels
+documentation:
+  - changed-files:
+    - any-glob-to-any-file: 
+      - '**/*.md'
+      - 'docs/**/*'
+
+# CI/CD labels
+ci:
+  - changed-files:
+    - any-glob-to-any-file:
+      - '.github/**/*'
+      - '.circleci/**/*'
+      - 'appveyor.yml'
+
+# Docker labels
+docker:
+  - changed-files:
+    - any-glob-to-any-file:
+      - 'Dockerfile*'
+      - 'docker-compose.yml'
+      - '.dockerignore'
+
+# Build configuration labels
+build:
+  - changed-files:
+    - any-glob-to-any-file:
+      - 'pom.xml'
+      - '**/pom.xml'
+      - 'makefile'
+      - '*.sh'
+
+# Test labels
+tests:
+  - changed-files:
+    - any-glob-to-any-file: '**/src/test/**/*'

.github/workflows/pr-labeler.yml

@@ -0,0 +1,29 @@
+name: PR Labeler
+on:
+  pull_request:
+    types: [opened, synchronize, reopened, ready_for_review]
+
+permissions:
+  contents: read
+  pull-requests: write
+
+jobs:
+  label:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 1
+
+      - name: Print labeler config
+        run: |
+          echo "=== .github/labeler.yml ==="
+          # Print only the first 200 lines to avoid log overflow in CI output
+          sed -n '1,200p' .github/labeler.yml
+
+      - uses: actions/labeler@v5
+        with:
+          repo-token: ${{ secrets.GITHUB_TOKEN }}
+          configuration-path: .github/labeler.yml
+          sync-labels: true
+          dot: true