fix: grant pull-requests: write permission in label-pr-intent workflow

[Copilot]

Pull Request Checklist

• I have read and followed the CONTRIBUTING.md guidelines.
• I have read and followed the Guidance for submissions involving paid services.
• My contribution adds a new instruction, prompt, agent, skill, or workflow file in the correct directory.
• The file follows the required naming convention.
• The content is clearly structured and follows the example format.
• I have tested my instructions, prompt, agent, skill, or workflow with GitHub Copilot.
• I have run npm start and verified that README.md is up to date.
• I am targeting the staged branch for this pull request.

---

Description

The label-pr job was failing with HTTP 403 on every PR. The GitHub API for adding labels (POST /issues/{number}/labels) requires both issues=write and pull_requests=write — the workflow only granted pull-requests: read, which was insufficient.

Fix: bump pull-requests permission from read → write in label-pr-intent.yml:

# before
permissions:
  issues: write
  pull-requests: read

# after
permissions:
  issues: write
  pull-requests: write

The x-accepted-github-permissions: issues=write; pull_requests=write response header from the failing API call confirmed both scopes are required.

Note on CI check for this PR: Because this workflow uses the pull_request_target trigger, GitHub always runs it from the base branch (staged), not the head branch. The label-pr check on this PR will therefore still show as failing until it is merged into staged — this is expected behaviour inherent to pull_request_target. Once merged, the fix will take effect for all future PRs.

---

Type of Contribution

• New instruction file.
• New prompt file.
• New agent file.
• New plugin.
• New skill file.
• New agentic workflow.
• Update to existing instruction, prompt, agent, plugin, skill, or workflow.
• Other (please specify):

---

Additional Notes

Affected job: label-pr / run 25345875449

---

By submitting this pull request, I confirm that my contribution abides by the Code of Conduct and will be licensed under the MIT License.

[Copilot]

Pull request overview

This pull request fixes a failing GitHub Actions workflow by adjusting the GITHUB_TOKEN permissions so the label-pr job can successfully apply labels to pull requests without hitting HTTP 403 errors.

Changes:

• Updated the workflow permissions to grant pull-requests: write (previously read) alongside issues: write.

Show a summary per file

File	Description
.github/workflows/label-pr-intent.yml	Grants pull-requests: write so the label-application job can label PRs successfully.

Copilot's findings

• Files reviewed: 1/1 changed files
• Comments generated: 0

[aaronpowell]

@copilot still failed

[Copilot]

@copilot still failed

The CI failure on this PR is expected due to how pull_request_target works — GitHub always runs that workflow from the base branch (staged), not the head branch. So even though my branch has pull-requests: write, the running workflow is still reading label-pr-intent.yml from staged (which still has pull-requests: read).

The fix is correct and will take effect for all PRs once this is merged into staged. There's no way to make the label-pr check green on this specific PR before the fix lands on the base branch — it's an inherent constraint of the pull_request_target trigger.