fix: Change check-labels to be a separate workflow

Due to github permissions, we don't have access to the
BOT_WORKFLOW_TOKEN in pull_request events from forks. The recommended
way by github docs is to use a pull_request_target event that runs in
the context of the base branch. The recommendation is to not run any
build or execute code in events like this coming from forks due to
increased security risk.

.github/workflows/check-labels.yml

@@ -0,0 +1,14 @@
+name: Check required labels
+
+on:
+  pull_request_target:
+    branches: ["**"]
+
+jobs:
+  check-labels:
+    name: Check PR labels
+    uses: eclipse-zenoh/ci/.github/workflows/check-labels.yml@main
+    secrets:
+      github-token: ${{ secrets.GITHUB_TOKEN }}
+    permissions:
+      pull-requests: write

.github/workflows/ci.yml

@@ -27,15 +27,6 @@ env:
   RUSTUP_WINDOWS_PATH_ADD_BIN: 1
 
 jobs:
-  check-labels:
-    name: Check PR labels
-    if: ${{ github.event_name == 'pull_request'}}
-    uses: eclipse-zenoh/ci/.github/workflows/check-labels.yml@main
-    secrets:
-      github-token: ${{ secrets.GITHUB_TOKEN }}
-    permissions:
-      pull-requests: write
-
   check:
     name: Lints and doc tests on ${{ matrix.os }}
     runs-on: ${{ matrix.os }}
@@ -160,13 +151,8 @@ jobs:
   ci:
     name: CI status checks
     runs-on: ubuntu-latest
-    needs: [check-labels, check, test, valgrind, typos]
+    needs: [check, test, valgrind, typos]
     if: always()
     steps:
       - name: Check whether all jobs pass
-        run: |
-          if [${{ github.event_name == 'pull_request' }}]; then
-            echo '${{ toJson(needs) }}' | jq -e 'all(.result == "success")'
-          else
-            echo '${{ toJson(needs) }}' | jq -e 'del(."check-labels")' | jq -e 'all(.result == "success")'
-          fi
+        run: echo '${{ toJson(needs) }}' | jq -e 'all(.result == "success")'