Migrate label sync from Prow to Tekton CronJob or Terraform

[vdemeester]

Summary

Prow's label_sync tool currently synchronizes labels defined in
label_sync/labels.yaml (~520 lines) across all tektoncd and
tektoncd-catalog repositories. This needs to run independently of Prow.

Proposed Replacement

A Tekton CronJob (or Kubernetes CronJob triggering a TaskRun) on the OCI
cluster:

1. A Tekton Task that reads labels.yaml (from the repo or a ConfigMap),
   uses gh CLI or GitHub API to sync labels across all repos, and reports
   drift or errors.
2. A CronJob running daily or weekly to keep labels in sync.
3. Optionally also trigger on PR merge to label_sync/labels.yaml for
   immediate sync (via PaC or EventListener).

Alternatives

• Terraform — we already manage branch protection with it, adding labels
  would make it fully declarative and auditable. But the labels.yaml format
  is Prow-specific and would need conversion.
• GHA actions like crazy-max/ghaction-github-labeler or
  lannonbr/issue-label-manager-action.
• Simple script using gh label commands.

Considerations

• The labels.yaml format is Prow-specific — may need conversion depending
  on the tool chosen.
• Must support both tektoncd and tektoncd-catalog orgs.
• Terraform is a natural fit since we already use it for branch protection
  (declarative, auditable, PR-reviewable).

/cc @tektoncd/plumbing-maintainers