ci: remove pull_request_target trigger from release-drafter

[ryantm]

Why

Removing the pull_request_target trigger from this workflow as a precaution against the supply-chain attack pattern exploited in the recent TanStack NPM compromise (https://tanstack.com/blog/npm-supply-chain-compromise-postmortem). pull_request_target runs in the context of the target repo with access to secrets, which is exactly the foothold the TanStack attack used.

Per security policy discussed in Slack (https://replit.slack.com/archives/C03FS477T17/p1778588219046429), we're removing pull_request_target from all Replit-owned public repos.

What changed

Removed the pull_request_target event block from .github/workflows/release-drafter.yml. No other changes.

Tradeoff: the release-drafter autolabeler will no longer run on PRs opened from forks (it only ran via pull_request_target because the pull_request event from a fork doesn't have write permissions). Release notes are still drafted on push to master, and autolabeler still runs on PRs from branches in this repo via the remaining pull_request trigger.

Test plan

Static — the change is a YAML deletion. CI will re-run on this PR via the remaining pull_request trigger; verifying the workflow still parses and runs is sufficient.

Rollout

• This is fully backward and forward compatible

---

~ written by Zerg 👾 (advanced-arbiter-7b5b)