Add shared labeling scripts + label taxonomy

[bryanbeverly]

Summary

Adds shared label and labeling-script artifacts used by org reusable workflows. These files live here (rather than in an internal repo) because GitHub's auto-generated GITHUB_TOKEN is scoped to the workflow's calling repo and cannot actions/checkout an internal repo, even with "Actions > Access" enabled. Hosting these data/script files in this public repo lets reusable workflows in our internal .github-private repo check them out without a PAT or App credential.

The reusable workflow YAML itself, the operator docs, and rollout-specific configuration continue to live in .github-private. Only the non-sensitive shared data and scripts move here.

Files added

• labels.yml — standard label taxonomy (size/risk/review/status/complexity).
• .github/scripts/pr_labeler.py — computes size, risk (from Bugbot CURSOR_SUMMARY), and template-checkbox labels for one or more PRs. Idempotent; handles event, single-PR, and full-backfill modes.
• .github/scripts/label_sync.py — reads labels.yml and runs gh label create --force for each entry. Additive (never deletes) so legacy labels are preserved.
• .github/scripts/test_pr_labeler.py — 35 pytest unit tests covering size buckets, risk parsing, checkbox state, and reconciliation.
• .github/workflows/lint.yml — ruff check + ruff format --check on .github/scripts/, and actionlint on workflow YAML. Same conventions as our other repos.
• .github/workflows/test-scripts.yml — pytest CI for the scripts (path-filtered to .github/scripts/**).
• .gitignore — Python venv/cache patterns.

Why this is safe to be public

The scripts and label list contain no internal-only information:

• Generic env-var docstrings ("owner/repo", no real repo names)
• Generic label names and color hex codes
• Synthetic test fixtures (no real PR bodies)
• Workflow YAML uses actions/checkout@v4 and standard public actions

Local development

python3 -m venv .venv
.venv/bin/pip install pytest pyyaml ruff
.venv/bin/python -m pytest .github/scripts -v
.venv/bin/ruff check .github/scripts
.venv/bin/ruff format --check .github/scripts

Test plan

• ruff check .github/scripts/ passes locally
• ruff format --check .github/scripts/ passes (3 files already formatted)
• pytest .github/scripts/ — 35/35 passing
• actionlint passes on all workflow YAML
• CI lint workflow runs green on this PR
• CI test-scripts workflow runs green on this PR
• Follow-up PR in .github-private updates its reusable workflows to actions/checkout repository: trufflesecurity/.github and removes the duplicated files there. Both PRs should land in close succession.

---

Note

Medium Risk
Adds automation that mutates repo labels and PR labels via the GitHub CLI; misconfiguration or parsing edge cases could apply incorrect labels across many open PRs during backfill.

Overview
Introduces a shared labels.yml taxonomy and a label_sync.py script to upsert those labels into a target repo via gh label create --force (additive; no deletions).

Adds a pr_labeler.py tool (with pytest coverage) that computes and reconciles PR size/*, risk/* (from Bugbot <!-- CURSOR_SUMMARY -->), and template checkbox labels (review/urgent, complexity/high), supporting event/single-PR and all open-PR backfill modes.

Wires in CI via new lint.yml (ruff + actionlint) and test-scripts.yml (pytest), plus a Python-focused .gitignore.

^{Reviewed by Cursor Bugbot for commit 6e32bb0. Bugbot is set up for automated code reviews on this repo. Configure here.}