fix(labeling): execute canonical label sync in workflow

[ashleyshaw]

Summary

• make scripts/agents/includes/label-sync.js executable when run directly in CI
• wire GITHUB_TOKEN and deterministic DRY_RUN behaviour into the labeling workflow sync step
• document sync behaviour in issue labels guide

Why

Issue #66 requires canonical label and seeding workflow alignment. The workflow was invoking node scripts/agents/includes/label-sync.js, but that file had no CLI entrypoint, so sync was effectively a no-op.

Changes

• Added a CLI runner to label-sync.js that:
  • reads canonical labels from .github/labels.yml
  • authenticates with GITHUB_TOKEN
  • performs canonical sync + validation
  • exits non-zero if validation fails
• Updated .github/workflows/labeling.yml sync step env:
  • GITHUB_TOKEN from workflow secret
  • DRY_RUN=true on pull_request events
  • non-PR events use workflow/input default (false when not provided)
• Updated docs/ISSUE_LABELS.md automation section for the new sync execution contract.

Validation

• node scripts/validation/validate-labeling-configs.cjs
• npx eslint scripts/agents/includes/label-sync.js
• npx markdownlint-cli2 docs/ISSUE_LABELS.md
• npx spectral lint .github/workflows/labeling.yml --ruleset .spectral-workflows.cjs

Links

• Parent epic: [Epic] Label governance stabilisation and automation hardening #449
• Task: [Workflows/Docs] Canonical labels + org seeding workflow #66

[coderabbitai]

Warning

Review limit reached

@ashleyshaw, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 38 minutes and 26 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yml

Review profile: CHILL

Plan: Pro

Run ID: 598e4d7d-4ffe-46f8-88f3-f7c237c8241d

📥 Commits

Reviewing files that changed from the base of the PR and between b675298 and 6b3b7e1.

📒 Files selected for processing (3)

• .github/workflows/labeling.yml
• docs/ISSUE_LABELS.md
• scripts/agents/includes/label-sync.js

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch codex/66-label-seeding-hardening

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

🔍 Reviewer Summary for PR #450

CI Status: ✅ success
Files changed: 3

Recommendations

• Ready to proceed pending human review

[gemini-code-assist]

Code Review

This pull request updates the label synchronization script (label-sync.js) to support running as an executable CLI in CI, and updates the documentation accordingly. The feedback suggests a safer way to parse the repository owner and name from environment variables to prevent potential runtime crashes when github.context.repo is accessed without a properly configured environment.

[gemini-code-assist]

Accessing github.context.repo directly can throw an unhandled exception if the GITHUB_REPOSITORY environment variable is missing or malformed (for example, when running or testing the script locally). Since github.context.repo simply parses process.env.GITHUB_REPOSITORY under the hood, we can safely extract the owner and repository directly from the environment variables. This avoids potential runtime crashes and allows our custom error handling on line 487 to gracefully report the missing configuration.

Suggested change

	const owner =
	process.env.GITHUB_REPOSITORY_OWNER || github.context.repo.owner;
	const repo =
	process.env.GITHUB_REPOSITORY?.split("/")[1] || github.context.repo.repo;
	const [repoOwner, repoName] = (process.env.GITHUB_REPOSITORY || "").split("/");
	const owner = process.env.GITHUB_REPOSITORY_OWNER || repoOwner;
	const repo = repoName;

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: ae96ef2391

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Paginate labels before enabling the CLI sync

The new CLI path now executes syncLabelsWithCanonical()/validateRepoLabels() in CI, but those helpers only request a single listLabelsForRepo page with per_page: 100; Octokit’s pagination docs note per_page tops out at 100. This repository’s .github/labels.yml already contains 149 canonical labels, so once a repo has the full canonical set the CLI only sees the first 100 existing labels, treats the rest as missing, and the validation step fails every labeling run even though the labels are present. Please fetch all pages via octokit.paginate(...) before validating or syncing.

Useful? React with 👍 / 👎.

[github-actions]

🔍 Reviewer Summary for PR #450

CI Status: ✅ success
Files changed: 3

Recommendations

• Ready to proceed pending human review