fix: scope labeler trigger to opened/synchronize and fix bugfix typo

- Restrict pull-request-target.yml to only 'opened' and 'synchronize'
  events to reduce unnecessary API calls that exhaust the rate limit
- Fix 'bugpost' typo back to 'bugfix' in pr_enforce_labels.yml

.github/workflows/pr_enforce_labels.yml

@@ -18,7 +18,7 @@ jobs:
           script: |
             // Extract labels from the payload directly to avoid extra API calls
             const latestLabels = context.payload.pull_request.labels.map(label => label.name);
-            const requiredLabels = ['bugpost', 'enhancement', 'automation', 'dependencies', 'repo', 'release', 'refactor'];
+            const requiredLabels = ['bugfix', 'enhancement', 'automation', 'dependencies', 'repo', 'release', 'refactor'];
             console.log('Labels from payload:', latestLabels);
             const hasRequiredLabel = latestLabels.some(label => requiredLabels.includes(label));
             if (!hasRequiredLabel) {

.github/workflows/pull-request-target.yml

@@ -1,7 +1,8 @@
 name: "Pull Request Labeler"
 on:
-- pull_request_target
-# Do not execute arbitary code on this workflow. 
+  pull_request_target:
+    types: [opened, synchronize]
+# Do not execute arbitrary code on this workflow.
 # See warnings at https://docs.github.com/en/actions/reference/workflows-and-actions/events-that-trigger-workflows#pull_request_target
 
 jobs:
@@ -12,4 +13,6 @@ jobs:
     runs-on: ubuntu-24.04-arm
     steps:
     - id: label-the-PR
-      uses: actions/labeler@v6
+      uses: actions/labeler@v6
+      with:
+        repo-token: ${{ secrets.GITHUB_TOKEN }}