diff --git a/.github/workflows/pr-labeler.yaml b/.github/workflows/pr-labeler.yaml
index ec59493..039b3a7 100644
--- a/.github/workflows/pr-labeler.yaml
+++ b/.github/workflows/pr-labeler.yaml
@@ -6,7 +6,14 @@ on:
 
 permissions:
   contents: read
+  # `pull-requests: write` is required for editing the PR conversation
+  # surface (comments, reviewers). Labels live behind the issues API
+  # (`POST /repos/.../issues/{n}/labels`), so adding or removing them on
+  # a PR needs `issues: write` even when the target is a pull request.
+  # Without this scope, github.rest.issues.addLabels fails with
+  # `Resource not accessible by integration` (HTTP 403).
   pull-requests: write
+  issues: write
 
 # Coalesce rapid edited/synchronize bursts on the same PR so an older run
 # cannot land its label mutations after a newer run computed a different set.