Add dependency guard backfill label trigger

[RomneyDa]

Summary

Add a temporary dependency-guard-backfill label trigger to the Dependency Guard workflow so maintainers can backfill the required dependency-guard check on old open PR heads without requiring contributors to push, rebase, close/reopen, or rerun the rest of CI.

• Adds labeled to the pull_request_target activity types.
• Gates labeled events to only run for dependency-guard-backfill.
• Keeps normal opened/reopened/synchronize/ready_for_review behavior unchanged.

Backfill Plan

This is the first step in a temporary three-PR backfill flow:

1. This PR teaches Dependency Guard to run when maintainers add dependency-guard-backfill.
2. ci: isolate dependency guard backfill label #87882 prevents broad label-triggered workflows from reacting to that label, so the batch labeler only wakes Dependency Guard and does not fan out unrelated automation.
3. Maintainers run the attached local batch script against the frozen audit set of old PRs that already have a real failing non-dependency check or a local merge conflict, then chore: revert dependency guard backfill machinery #87867 removes the temporary trigger once the backfill window is complete.

The script/artifact bundle is attached in this PR's comments as a secret gist. It is resumable, dry-run by default, and applies the label in batches using local gh auth unless GH_TOKEN is set.

Verification

• Parsed .github/workflows/dependency-guard.yml with yaml and confirmed the trigger and job condition.
• git diff --check -- .github/workflows/dependency-guard.yml test/scripts/dependency-guard-workflow.test.ts

[clawsweeper]

ClawSweeper status: review started.

I am starting a fresh review of this pull request: Add dependency guard backfill label trigger This is item 1/1 in the current shard. Shard 0/1.

This placeholder means the worker is alive and reading the current context. I will edit this same comment with the actual review when the claws are done clicking.

Crustacean status: shell secured, claws on keyboard, evidence pebbles being sorted.

[RomneyDa]

Added the dependency guard backfill artifacts as a secret gist:

https://gist.github.com/RomneyDa/bc631c36b8b5db86d90871f8f1a4abc1

Files included:

• prs-bad-failing-or-conflict-verified-excluding-dependency-guard.json — frozen 2,695 non-draft PR target set for dependency-guard-backfill
• apply-dependency-guard-backfill-label.mjs — resumable batch labeler, dry-run by default
• apply-dependency-guard-backfill-label.test.mjs — dry-run test that requires no token

SHA-256:

ae7f3231b342250edb5902109a0908a6f267de040bcf2f168abc9f56ce95768c  prs-bad-failing-or-conflict-verified-excluding-dependency-guard.json
dd8c4cf985dc8e6be7555d873ccabd255c9b95bcb5bd8925e5409e80e62aac6d  apply-dependency-guard-backfill-label.mjs
66836654ca70514f2deadb48243a46949c9f2f66fdff5970e9fbc9224db284b2  apply-dependency-guard-backfill-label.test.mjs

Verification run locally:

node --test .tmp/dependency-guard-pr-audit/apply-dependency-guard-backfill-label.test.mjs