Skip auto-label flow when TRIGGER_STRING is unset

When TRIGGER_STRING is not configured, String.prototype.includes()
coerces undefined to the literal string "undefined". A PR body or
comment containing the word "undefined" could therefore falsely match
and trigger the auto-label flow.

Add an early-return guard at the top of the pull_request.opened and
issue_comment.created handlers — matching the existing AUTHORIZED_TEAM
check in isAuthorized — so an unset or empty TRIGGER_STRING disables
the trigger feature entirely instead of matching a coerced string.

Author: fortify-drussell

app.js

@@ -210,8 +210,12 @@ module.exports = (app) => {
   });
 
   app.on("pull_request.opened", async (context) => {
+    if (process.env.TRIGGER_STRING == undefined || process.env.TRIGGER_STRING == "") {
+      console.log("No trigger string specified. Skipping auto-label check.");
+      return;
+    }
     let authorized = await isAuthorized(context.payload.sender.login, context.payload.organization.login, context.octokit)
-    if (context.payload.pull_request.body.toLocaleLowerCase().includes(process.env.TRIGGER_STRING) 
+    if (context.payload.pull_request.body.toLocaleLowerCase().includes(process.env.TRIGGER_STRING)
         && authorized) {
 
       // Found the trigger string, so add the emergency label to trigger the other stuff...
@@ -243,9 +247,13 @@ module.exports = (app) => {
   });
 
   app.on("issue_comment.created", async (context) => {
+    if (process.env.TRIGGER_STRING == undefined || process.env.TRIGGER_STRING == "") {
+      console.log("No trigger string specified. Skipping auto-label check.");
+      return;
+    }
     let authorized = await isAuthorized(context.payload.sender.login, context.payload.organization.login, context.octokit)
-    if (context.payload.issue.pull_request 
-        && context.payload.comment.body.toLocaleLowerCase().includes(process.env.TRIGGER_STRING) 
+    if (context.payload.issue.pull_request
+        && context.payload.comment.body.toLocaleLowerCase().includes(process.env.TRIGGER_STRING)
         && authorized) {
 
       // This is a comment on a PR and we found the trigger string, so add the emergency label to trigger the other stuff...