Skip to content

ci(BA-4850): separate labeler workflow to fix 403 on fork PRs#9610

Open
fregataa wants to merge 2 commits intomainfrom
BA-4850
Open

ci(BA-4850): separate labeler workflow to fix 403 on fork PRs#9610
fregataa wants to merge 2 commits intomainfrom
BA-4850

Conversation

@fregataa
Copy link
Member

@fregataa fregataa commented Mar 3, 2026

Summary

  • Extract labeler job from ci.yml into standalone labeler.yml workflow
  • Use pull_request_target trigger instead of pull_request to fix permission issues
  • Fixes 403 "Resource not accessible by integration" errors on fork PRs

Test plan

  • Quality checks pass (pants fmt, fix, lint)
  • Verify labeler runs successfully on fork PR (will be tested after merge)

Resolves BA-4850

@fregataa @claude
ci(BA-4850): separate labeler workflow to fix 403 on fork PRs
e32f2ba 
Extract labeler job from ci.yml into standalone labeler.yml workflow
using pull_request_target trigger. This fixes "Resource not accessible
by integration" errors on fork PRs where GITHUB_TOKEN is read-only.

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Copilot AI review requested due to automatic review settings March 3, 2026 10:14
Copilot AI reviewed Mar 3, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Extracts the PR labeler into its own workflow and switches to pull_request_target to avoid 403 permission errors on forked PRs.

Changes:

  • Added a standalone .github/workflows/labeler.yml workflow triggered by pull_request_target.
  • Removed the labeler job from .github/workflows/ci.yml.
  • Configured concurrency and token permissions for the labeler workflow.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.

File Description
.github/workflows/labeler.yml New dedicated labeler workflow using pull_request_target with write perms for labeling.
.github/workflows/ci.yml Removes embedded labeler job now handled by the standalone workflow.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

.github/workflows/labeler.yml
contents: read
pull-requests: write
steps:
- uses: lablup/auto-labeler@main
Copy link

Copilot AI Mar 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Using a third-party action pinned to a moving ref (@main) is risky, and this is especially sensitive with pull_request_target since the workflow runs with elevated permissions. Pin the action to an immutable commit SHA (preferred) or a version tag to reduce supply-chain risk.

Suggested change
- uses: lablup/auto-labeler@main
- uses: lablup/auto-labeler@v1

Copilot uses AI. Check for mistakes.
.github/workflows/labeler.yml
labeler:
runs-on: ubuntu-latest
permissions:
contents: read
Copy link

Copilot AI Mar 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Labeling a PR typically requires issues: write because PR labels are managed via the Issues API. With only pull-requests: write, the action may still hit 403s when trying to apply labels. Add issues: write (and keep pull-requests: write if the action needs it) to ensure labeling succeeds.

Suggested change
contents: read
contents: read
issues: write

Copilot uses AI. Check for mistakes.
@fregataa fregataa added this to the 26.3 milestone Mar 3, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

At least 1 approving review is required to merge this pull request.

Assignees

@fregataa fregataa

Labels

None yet

Projects

None yet

Milestone

26.3

Development

Successfully merging this pull request may close these issues.

2 participants

@fregataa