[ARM Auto SignOff] Cannot trigger on pull_request:labeled events from bot accounts

[mikeharder]

These runs are blocked waiting for approval:

https://github.com/Azure/azure-rest-api-specs/actions/workflows/arm-auto-signoff-preview.yaml?query=is%3Aaction_required

The workflow is supposed to trigger on labeled/unlabeled events, and it usually works. However, if the label is added by microsoft-github-policy-service (bot) or openapi-pipeline-app (bot), the workflow cannot trigger without approval.

This means workflows can't trigger on label/unlabel events from bot accounts. Unless we can figure out how to make the accounts considered "members of our repository".

Or maybe giving read and write access to actions in the app permissions would unblock this, at least for openapi-pipeline-app? We don't really need it for microsoft-github-policy-service.

This might be a lower priority, since we also trigger off the NextStepsToMerge comment, so even if we miss one trigger, the check should be eventually correct.

Once we move all checks out of alps, I think this problem also goes away. For ArmAutoSignOff, we only need to move Avocado and LintDiff.

We could maybe change our repo setting to "require for first-time contributors" which might also unblock these two bot accounts (or maybe not, if they can't be considered a contributor)