From 2e53efcfb4fa9e0d1c83b4857166f6358d5a544e Mon Sep 17 00:00:00 2001 From: Aleksei Sviridkin Date: Tue, 26 May 2026 23:40:45 +0300 Subject: [PATCH] fix(ci): grant issues:write to pr-labeler workflow MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit addLabels and removeLabel call the issues API endpoint (POST /repos/.../issues/{number}/labels) even when the target is a pull request. Without 'issues: write' the workflow token cannot mutate labels and the call returns HTTP 403 'Resource not accessible by integration'. The previous 'pull-requests: write' grant covers the PR conversation surface — comments, reviewers, merge state — but not labels, which GitHub treats as an issues resource. Add the missing scope and document the reasoning inline so a future reader does not retry the same mistake. Assisted-By: Claude Signed-off-by: Aleksei Sviridkin --- .github/workflows/pr-labeler.yaml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/.github/workflows/pr-labeler.yaml b/.github/workflows/pr-labeler.yaml index ec59493..039b3a7 100644 --- a/.github/workflows/pr-labeler.yaml +++ b/.github/workflows/pr-labeler.yaml @@ -6,7 +6,14 @@ on: permissions: contents: read + # `pull-requests: write` is required for editing the PR conversation + # surface (comments, reviewers). Labels live behind the issues API + # (`POST /repos/.../issues/{n}/labels`), so adding or removing them on + # a PR needs `issues: write` even when the target is a pull request. + # Without this scope, github.rest.issues.addLabels fails with + # `Resource not accessible by integration` (HTTP 403). pull-requests: write + issues: write # Coalesce rapid edited/synchronize bursts on the same PR so an older run # cannot land its label mutations after a newer run computed a different set.