ci: add automated issue/PR labeling and project board management (#82)

* ci: add workflows for auto-labeling and project board management

Add two GitHub Actions workflows:
- auto-label.yml: Automatically applies team/fs-wg and team/filecoin-pin labels to new issues and PRs
- add-issues-and-prs-to-fs-project-board.yml: Adds labeled issues/PRs to the FS project board

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <[email protected]>

* fix: use PAT in auto-label workflow to trigger project board workflow

Use FILOZZY_CI_ADD_TO_PROJECT secret instead of default GITHUB_TOKEN
to ensure that when labels are added, the add-issues-and-prs-to-fs-project-board
workflow is properly triggered. Actions using GITHUB_TOKEN do not trigger
subsequent workflows by design.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <[email protected]>

* docs: add PAT requirements to auto-label workflow

Document the specific requirements for the FILOZZY_CI_ADD_TO_PROJECT secret:
- Must have public_repo scope to add labels to issues/PRs
- PAT owner must have at least triage access to the repository

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <[email protected]>

* fix: correct misleading comment about pull_request_target and secrets

The previous comment incorrectly stated that fork PRs don't have access to
secrets. In reality, pull_request_target DOES have access to secrets (unlike
pull_request), which is precisely why it's being used here - to authenticate
with the project board API for fork PRs.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <[email protected]>

* docs: clarify pull_request_target runs workflow from base branch

Add security note explaining that pull_request_target executes the workflow
file from the base branch (main), not from the PR branch. This prevents
attackers from modifying the workflow via PR to steal secrets.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <[email protected]>

* dod fix

---------

Co-authored-by: Claude <[email protected]>

Author: BigLep

.github/workflows/add-issues-and-prs-to-fs-project-board.yml

@@ -0,0 +1,38 @@
+######################################################################################
+# READ THIS FIRST
+# This file is authored in filecoin-project/github-mgmt repository and MANUALLY copied to other repos.
+# See https://github.com/filecoin-project/github-mgmt/blob/master/files/.github/workflows/add-issues-and-prs-to-fs-project-board.yml for more info.
+######################################################################################
+
+# This action adds all issues and PRs with a "team/fs-wg" label to the FS project board.
+# It is used to keep the FS project board up to date with the issues and PRs.
+# It is triggered by the issue and PR events.
+# It assumes a `FILOZZY_CI_ADD_TO_PROJECT` secret is set in the repo.
+# This secret should have the permissions outlined in https://github.com/actions/add-to-project?tab=readme-ov-file#creating-a-pat-and-adding-it-to-your-repository
+name: Add issues and PRs to FS project board
+
+on:
+  issues:
+    types:
+      - labeled
+  # Using "pull_request_target" instead of "pull_request" to support PRs from forks.
+  # pull_request_target has access to secrets even for fork PRs, which is necessary
+  # for this action to authenticate and add items to the project board.
+  # pull_request_target runs the workflow file from the base branch (main),
+  # not from the PR branch, so attackers cannot modify this workflow via PR.
+  # This action does not check out nor execute user code so we should be safe.
+  # We also hardcode to specific hash to ensure no unintended changes underneath us.
+  pull_request_target:
+    types:
+      - labeled
+
+jobs:
+  add-to-project:
+    name: Add all "team/fs-wg" issues and PRs to project
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/add-to-project@244f685bbc3b7adfa8466e08b698b5577571133e # v1.0.2
+        with:
+          project-url: https://github.com/orgs/FilOzone/projects/14
+          github-token: ${{ secrets.FILOZZY_CI_ADD_TO_PROJECT }}
+          labeled: team/fs-wg

.github/workflows/auto-label.yml

@@ -0,0 +1,33 @@
+name: Auto-label issues and PRs
+
+on:
+  issues:
+    types: [opened]
+  pull_request:
+    types: [opened]
+
+jobs:
+  label:
+    runs-on: ubuntu-latest
+    permissions:
+      issues: write
+      pull-requests: write
+    steps:
+      - uses: actions/github-script@v7
+        with:
+          # Use PAT instead of default GITHUB_TOKEN to trigger subsequent workflows.
+          # Events triggered by GITHUB_TOKEN do not create new workflow runs by design.
+          # This allows the add-issues-and-prs-to-fs-project-board.yml workflow to be triggered when labels are added.
+          # See: https://docs.github.com/en/actions/concepts/security/github_token
+          #
+          # PAT Requirements:
+          # - Scope: public_repo (to add labels to issues/PRs in public repositories)
+          # - Permissions: The PAT owner must have at least triage access to the repository
+          github-token: ${{ secrets.FILOZZY_CI_ADD_TO_PROJECT }}
+          script: |
+            github.rest.issues.addLabels({
+              issue_number: context.issue.number,
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              labels: ['team/fs-wg', 'team/filecoin-pin']
+            })