Address code review feedback: add path triggers and improve security

Co-authored-by: huangyiirene <7665279+huangyiirene@users.noreply.github.com>

Author: Copilot

.github/workflows/labeler.yml

@@ -3,6 +3,9 @@ name: "Pull Request Labeler"
 on:
   pull_request:
     types: [opened, synchronize, reopened]
+    paths:
+      - '**/*'
+      - '.github/labeler.yml'
 
 permissions:
   contents: read

.github/workflows/validate-metadata.yml

@@ -10,6 +10,7 @@ on:
       - '**/*.app.yml'
       - '**/*.page.yml'
       - '**/*.menu.yml'
+      - 'scripts/validate-yaml.js'
   pull_request:
     branches: [ "main" ]
     paths:
@@ -19,6 +20,7 @@ on:
       - '**/*.app.yml'
       - '**/*.page.yml'
       - '**/*.menu.yml'
+      - 'scripts/validate-yaml.js'
 
 jobs:
   validate:

scripts/validate-yaml.js

@@ -9,6 +9,10 @@
  * - *.app.yml
  * - *.page.yml
  * - *.menu.yml
+ * 
+ * Dependencies:
+ * - Requires 'js-yaml' from devDependencies
+ * - Run 'pnpm install' before executing this script
  */
 
 const yaml = require('js-yaml');
@@ -73,7 +77,7 @@ async function validateFiles() {
   const results = await Promise.allSettled(
     files.map(async (file) => {
       const content = await fs.promises.readFile(file, 'utf8');
-      yaml.load(content);
+      yaml.load(content, { schema: yaml.DEFAULT_SAFE_SCHEMA });
       return file;
     })
   );