build: pin codelytv/pr-size-labeler to commit SHA in pull_request_target workflow

[XananasX7]

/kind cleanup

What type of PR is this?

/kind cleanup

What this PR does / Why we need it:

Pins codelytv/pr-size-labeler to full commit SHA instead of mutable v1 tag in the labeler.yml workflow.

This workflow uses pull_request_target trigger which runs with write permissions on every PR from forks. Using a mutable tag reference means any compromise of the upstream action repository (tag move,
account takeover) would execute arbitrary code with write access to this repository.

Pinning to SHA ensures the action content is immutable and prevents supply chain attacks via tag manipulation.

Which issue(s) this PR fixes:

N/A — proactive security hardening

Special notes for your reviewer:

This follows GitHub's security best practice of pinning actions to full SHA in privileged workflows. See:
https://docs.github.com/en/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions#using-third-party-actions

[XananasX7]

I agree to the DCO (Developer Certificate of Origin) for this contribution.

[XananasX7]

Summary

This PR pins codelytv/pr-size-labeler to a full commit SHA in the pull_request_target workflow.

Why this matters

The pull_request_target trigger gives this workflow base-repository context. The codelytv/pr-size-labeler action uses a mutable version tag, making it a viable supply chain attack vector — a compromised tag could run arbitrary code with repository write access on every PR.

Fix

Pinned to the exact commit SHA with a version comment. Minimal change, no logic impact. DCO signed. Ready for review.

[markmandel]

CodelyTV/pr-size-labeler@56070d7 also not a commit. Closing and banning account due to security concerns.