ci: Update add-team-label and check-template-and-add-labels workflows to use OIDC token exchange cp-7.80.0

[Mrtenz]

Description

This updates the add-team-label and check-template-and-add-labels workflows to use OIDC token exchange.

Changelog

CHANGELOG entry:

Related issues

Fixes:

Manual testing steps

Feature: my feature name

  Scenario: user [verb for user action]
    Given [describe expected initial app state]

    When user [verb for user action]
    Then [describe expected outcome]

Screenshots/Recordings

Before

After

Pre-merge author checklist

• I've followed MetaMask Contributor Docs and MetaMask Mobile Coding Standards.
• I've completed the PR template to the best of my ability
• I've included tests if applicable
• I've documented my code using JSDoc format if applicable
• I've applied the right labels on the PR (see labeling guidelines). Not required for external contributors.

Performance checks (if applicable)

• I've tested on Android
  • Ideally on a mid-range device; emulator is acceptable
• I've tested with a power user scenario
  • Use these power-user SRPs to import wallets with many accounts and tokens
• I've instrumented key operations with Sentry traces for production performance metrics
  • See trace() for usage and addToken for an example

For performance guidelines and tooling, see the Performance Guide.

Pre-merge reviewer checklist

• I've manually tested the PR (e.g. pull and build branch, run the app, test code being changed).
• I confirm that this PR addresses all acceptance criteria described in the ticket it closes and includes the necessary testing evidence such as recordings and or screenshots.

---

Note

Medium Risk
Changes how automation authenticates to GitHub (and planning); misconfiguration could break PR/issue labeling until tokens and permissions are correct.

Overview
Two GitHub Actions workflows now obtain GitHub API tokens through OIDC token exchange (MetaMask/github-tools get-token@v1 and vars.TOKEN_EXCHANGE_URL) instead of repository secrets (TEAM_LABEL_TOKEN, LABEL_TOKEN).

add-team-label grants id-token: write, mints a read-only token for MetaMask/MetaMask-planning, a separate token with pull_requests: write, and passes both into add-team-label@v1 as planning-token and team-label-token.

check-template-and-add-labels adds contents: read and id-token: write, fetches a scoped token (issues: write, members: read, pull_requests: write), and wires LABEL_TOKEN to that output for the existing script step.

^{Reviewed by Cursor Bugbot for commit b51e09a. Bugbot is set up for automated code reviews on this repo. Configure here.}

[cursor]

Cursor Bugbot has reviewed your changes and found 2 potential issues.

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, have a team admin enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit 1e9225a. Configure here.}