chore: simplify auto approve mechanism (#17264)

Currently, PR's are auto approved if they either:

1. Contain the `pr/auto-approve` label.
2. Created by `dependabot`
3. Created by `aws-cdk-automation`

This is somewhat convoluted, and complicates the responsibility of the `auto-approve` workflow. 
In addition, this makes it impossible to formulate a single GitHub query to lookup all automated PR's that we expect to be approved and merged without human intervention. 

This PR switches to a simpler mechanism, by which the `auto-approve` workflow will **only** approve PR's that contain the appropriate label, forcing all PR creators to add the label if they wish to be auto-approved.

This means we can now use a simple `label:pr/auto-approve` query to find all those automated PR's.

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

.github/workflows/auto-approve.yml

@@ -7,11 +7,7 @@ on:
 
 jobs:
   auto-approve:
-    if: >
-       github.event.pull_request.user.login == 'dependabot[bot]'
-        || github.event.pull_request.user.login == 'dependabot-preview[bot]'
-        || (contains(github.event.pull_request.labels.*.name, 'pr/auto-approve')
-            && github.event.pull_request.user.login == 'aws-cdk-automation')
+    if: contains(github.event.pull_request.labels.*.name, 'pr/auto-approve')
     runs-on: ubuntu-latest
     permissions:
       pull-requests: write

.github/workflows/pr-labeler.yml

@@ -0,0 +1,17 @@
+# Apply various labels on PRs
+
+name: pr-labeler
+on:
+  pull_request:
+    types: [ opened ]
+
+jobs:
+  auto-approve:
+    if: github.event.pull_request.user.login == 'dependabot[bot]' || github.event.pull_request.user.login == 'dependabot-preview[bot]'
+    runs-on: ubuntu-latest
+    permissions:
+      pull-requests: write
+    steps:
+    - run: gh pr edit ${{ github.event.pull_request.number }} --add-label "pr/auto-approve" -R ${{ github.repository }}
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}