workflows: Split new-prs into two workflows

We cannot use the default github token for labeling PRs, because this
will not trigger the PR Subscriber job.  However, we weren't allowed to
use a different token via a secret, because secrets aren't allowed
in PR workflows.

The solution is to create two workflows, the first accepts the
pull_request_taget event extracts the PR number and then starts
the second workflow which adds the labels to the PRs.

This separation ensures that nothing malicious in the first workflow is
able to access the secret we use in the second workflow.