fix(ci): grant issues:write to pr-labeler workflow

[Aleksei Sviridkin (lexfrei)]

What this PR does

Adds issues: write to the pr-labeler workflow's permissions block. Without it, github.rest.issues.addLabels and removeLabel return HTTP 403 Resource not accessible by integration even though the workflow already declares pull-requests: write.

Why

Labels live behind the issues API (POST /repos/{owner}/{repo}/issues/{number}/labels). GitHub treats a pull request as a kind of issue for label operations, so mutating labels on a PR — adding or removing — requires the issues scope, regardless of whether the target is a PR or a standalone issue.

pull-requests: write covers the PR conversation surface: comments, reviewers, merge state. It does not cover labels. The previous configuration worked on earlier PRs by coincidence — labelers that produce zero changes (add.length === 0 and no labels to remove) skip the API call entirely and report success. The first PR for which the labeler computed a non-empty add set surfaced the gap.

Repro

PR #18 was the first cozystack-ui PR after #16 (label scheme adoption) and #17 (script tolerance fix) to actually demand labels (kind/feature + area/console) from addLabels. The workflow run at https://github.com/cozystack/cozystack-ui/actions/runs/26458860707 fails on github.rest.issues.addLabels with the 403 above. Diff between #17 (passed) and #18 (failed): #17's labeler invocation went through removeLabel for a stale label that no longer existed and returned 404 (caught by the existing try/catch) — its add set ended up empty, so no addLabels call ever fired. #18's add set is non-empty, and the call hits the missing permission.

Verification

This PR cannot self-check through its own labeler run: the workflow uses pull_request_target and checks out the labeler script and YAML from base.sha, which is unfixed main. The labeler run against this PR will run with the old (broken) permissions block.

The actual verification path is the next PR opened after this one merges to main. Its labeler invocation will pick up the fixed workflow and should successfully apply labels for any non-empty add set. A backfill run against PR #18 once this lands should also flip its label workflow from failure to success.

Summary by CodeRabbit

• Chores
  • Enhanced GitHub Actions workflow configuration by improving permission documentation and clarity for automated processes that manage pull request and issue labels.

[gemini-code-assist]

Note

Gemini is unable to generate a review for this pull request due to the file types involved not being currently supported.

[coderabbitai]

📝 Walkthrough

Walkthrough

GitHub Actions workflow permissions for the pr-labeler are documented by expanding the permissions block with explicit comments clarifying that pull-requests: write and issues: write are required for label edits and PR conversation edits respectively.

Changes

PR Labeler Permissions Documentation

Layer / File(s)	Summary
Workflow permissions documentation .github/workflows/pr-labeler.yaml	Workflow-level permissions block is expanded with explanatory comments detailing that issues: write is required for label edits via the Issues API and pull-requests: write is needed for PR conversation edits.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Poem

A rabbit tends the workflow gate,
With write permissions, clean and straight,
Issues, pull requests—both defined,
Comments flow and labels bind. 🐰✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: adding the issues:write permission to the pr-labeler workflow to fix a permission issue.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/ci-labeler-issues-permission

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (1)

.github/workflows/pr-labeler.yaml (1)

15-16: ⚡ Quick win

Drop pull-requests: write from .github/workflows/pr-labeler.yaml (least privilege).

The workflow only adds/removes labels via github.rest.issues.removeLabel / github.rest.issues.addLabels (Issues API). The pull-requests: write permission (and the accompanying “edit PR conversation” comment) doesn’t match the current implementation; keep issues: write instead.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/pr-labeler.yaml around lines 15 - 16, Remove the
unnecessary "pull-requests: write" permission entry from the workflow and keep
only "issues: write"; specifically delete the "pull-requests: write" permission
token so the workflow aligns with the APIs actually used
(github.rest.issues.removeLabel and github.rest.issues.addLabels) and does not
grant edit-PR permissions that the code never uses.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In @.github/workflows/pr-labeler.yaml:
- Around line 15-16: Remove the unnecessary "pull-requests: write" permission
entry from the workflow and keep only "issues: write"; specifically delete the
"pull-requests: write" permission token so the workflow aligns with the APIs
actually used (github.rest.issues.removeLabel and github.rest.issues.addLabels)
and does not grant edit-PR permissions that the code never uses.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: c6ca444c-d01e-442c-b078-1aff892c1106

📥 Commits

Reviewing files that changed from the base of the PR and between cd25edf and 2e53efc.

📒 Files selected for processing (1)

• .github/workflows/pr-labeler.yaml