ci: validate semver label on PR events

[jklaassenjc]

Summary

• The Check-PR-Labels job in release.yml only fires on pull_request closed. PR feat(mcp): Ed25519 op-envelope signing for destructive ops (KLA-411) #25 merged with no label, the release run failed, and re-running it didn't help — gh run rerun reuses the cached event payload, which still shows no labels.
• This adds a new workflow that runs the same label check on pull_request open/synchronize/reopened/labeled/unlabeled events, so a missing label surfaces while the PR is still open.
• No change to release.yml; the post-merge check stays as a defense-in-depth.

Follow-up

• Once merged, enable branch protection on main with Check-PR-Labels (from this workflow) as a required status check to actually block merges. That's a settings change, not a code change, so it's not in this PR.

Test plan

• Open this PR with the no version label → check passes.
• Remove the label → check fails.
• Add minor → check passes.
• Add minor + patch together → check fails (more than one).

🤖 Generated with Claude Code

---

Note

Low Risk
Low risk: adds a new GitHub Actions workflow that only reads PR labels and fails the check when labeling is incorrect; no application/runtime code changes.

Overview
Adds a new GitHub Actions workflow (.github/workflows/pr-labels.yml) that runs on PR open/update/label changes to enforce that each PR has exactly one release label (major, minor, patch, or no version).

The job uses actions/github-script to read labels from the PR event payload and fails early when the label set is missing or ambiguous, surfacing release-label issues before merge.

^{Reviewed by Cursor Bugbot for commit 001b2a3. Bugbot is set up for automated code reviews on this repo. Configure here.}