ci: fix consume_ci_run_label permissions

[Oddly]

The consume workflow has been failing on every invocation since it was added — all three recorded runs show failure with GraphQL: Resource not accessible by integration (removeLabelsFromLabelable). Removing labels from a pull request needs pull-requests: write; the workflow was declaring issues: write. The gh issue edit route worked against the Issues REST API because PRs share numbering with issues, but GitHub's authorization check looks at the scope that matches the target resource, and for a PR that's pull-requests. I've swapped the permission and moved the command to gh pr edit so the intent lines up with the scope.

The practical effect of the bug: the ci:run label was never being auto-stripped after a run started. Heavy CI still fired (because the pull_request: types: [labeled] trigger on the test workflows doesn't depend on consume), but the label lingered, which meant subsequent pushes needed a manual remove-then-re-add to re-trigger. This fix restores the intended "label-then-forget" flow.

Summary by CodeRabbit

• Chores
  • Updated GitHub Actions workflow configuration for improved CI/CD process management.

[coderabbitai]

📝 Walkthrough

Walkthrough

The workflow's GitHub Actions permissions are updated from issues: write to pull-requests: write, and the label removal command is correspondingly changed from using gh issue edit to gh pr edit while maintaining the same pull request target.

Changes

Cohort / File(s)	Summary
GitHub Actions Workflow .github/workflows/consume_ci_run_label.yml	Updated permissions from issues: write to pull-requests: write and switched label removal command from gh issue edit to gh pr edit for consistency with pull request operations.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Possibly related PRs

• Gate PR CI behind a run label #132: Directly related—modifies the same consume_ci_run_label workflow, replacing gh issue edit with gh pr edit and adjusting permissions accordingly.

Suggested labels

ci:run

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'ci: fix consume_ci_run_label permissions' directly and concisely summarizes the main change: fixing permissions for the consume_ci_run_label workflow.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/consume-ci-run-label-permissions

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (1)

.github/workflows/consume_ci_run_label.yml (1)

11-15: Optional: add job-level concurrency to avoid duplicate consume runs.

If the label is toggled quickly, multiple consume jobs can run concurrently. A small concurrency guard would make this more deterministic.

Suggested diff

 jobs:
   consume:
+    concurrency:
+      group: consume-ci-run-label-${{ github.event.pull_request.number }}
+      cancel-in-progress: false
     if: ${{ github.event.label.name == 'ci:run' }}
     runs-on: ubuntu-latest

As per coding guidelines, .github/workflows/**: Check workflow syntax, appropriate use of self-hosted vs ubuntu-latest runners, secret references, and concurrency settings.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/consume_ci_run_label.yml around lines 11 - 15, The consume
job can be triggered multiple times rapidly; add a job-level concurrency stanza
under jobs.consume (use the concurrency key on the "consume" job) to serialize
runs and set cancel-in-progress: true; use a stable group expression such as
"consume-${{ github.repository }}-${{ github.event.issue.number ||
github.event.pull_request.number || github.sha }}" so only one consume job for
the same PR/issue/ref runs at a time.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In @.github/workflows/consume_ci_run_label.yml:
- Around line 11-15: The consume job can be triggered multiple times rapidly;
add a job-level concurrency stanza under jobs.consume (use the concurrency key
on the "consume" job) to serialize runs and set cancel-in-progress: true; use a
stable group expression such as "consume-${{ github.repository }}-${{
github.event.issue.number || github.event.pull_request.number || github.sha }}"
so only one consume job for the same PR/issue/ref runs at a time.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: a3c27d83-5b48-44f6-8991-c79277c8e24a

📥 Commits

Reviewing files that changed from the base of the PR and between e236b4f and 9b8ac7e.

📒 Files selected for processing (1)

• .github/workflows/consume_ci_run_label.yml