ci(pr): restore PR labeling

overlookmotel · overlookmotel · commit ad9aabe9dfe4 · 2026-04-30T01:07:44.000+01:00
diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml
@@ -14,9 +14,21 @@ on:
 
 jobs:
   pr:
-    name: Check PR Title
+    name: Label and Check PR Title
+    permissions:
+      contents: read # `actions/labeler` reads `.github/labeler.yml` via the GitHub API
+      pull-requests: write # `actions/labeler` adds labels to the PR, requires write permission
     runs-on: ubuntu-slim
     steps:
+      # This step can only be run on internal PRs (i.e. from core contributors who have write access to the repo).
+      # The simplest way to extend it to external contributors making PRs from forks would be to switch to a
+      # `pull_request_target` event, but we don't want to do that due to the security risks of `pull_request_target`
+      # (see PR #21566).
+      - uses: actions/labeler@634933edcd8ababfe52f92936142cc22ac488b1b # v6.0.1
+        # Skip on PRs from forks.
+        # In `pull_request` events, `GITHUB_TOKEN` is read-only for PRs from forks, so adding labels would fail.
+        if: github.event.pull_request.head.repo.full_name == github.repository
+
       - name: Validate PR title
         env:
           TITLE: ${{ github.event.pull_request.title }}
