Skip to content

ci(labeler): move 'permissions' to the workflow level so labels apply on fork PRs#10766

Open
sukvvon wants to merge 1 commit into
mainfrom
ci/labeler-fork-pr-permissions
Open

ci(labeler): move 'permissions' to the workflow level so labels apply on fork PRs#10766
sukvvon wants to merge 1 commit into
mainfrom
ci/labeler-fork-pr-permissions

Conversation

@sukvvon
Copy link
Copy Markdown
Collaborator

@sukvvon sukvvon commented May 23, 2026
edited
Loading

🎯 Changes

Move the permissions block from the labeler job up to the workflow level (and drop the now-empty workflow-level permissions: {}) so the GITHUB_TOKEN keeps pull-requests: write on fork PRs.

GitHub Actions caps the token granted to a workflow run from a forked repository to the permissions declared at the workflow level — job-level overrides are ignored in that case. With permissions: {} at the top, fork PRs received a read-only token and actions/labeler failed with Resource not accessible by integration (see e.g. PR #10765 run).

The new shape matches the official actions/labeler recommended permissions and the labeler workflow already used in TanStack/router.

✅ Checklist

  • I have followed the steps in the Contributing guide.
  • I have tested this code locally with pnpm run test:pr.

🚀 Release Impact

  • This change affects published code, and I have generated a changeset.
  • This change is docs/CI/dev-only (no release).

Summary by CodeRabbit

  • Chores
    • Updated GitHub Actions workflow configuration to optimize permission handling and improve security by explicitly defining required access levels at the workflow level.

Review Change Stack

@sukvvon sukvvon requested a review from a team as a code owner May 23, 2026 13:26
@coderabbitai
Copy link
Copy Markdown
Contributor

coderabbitai Bot commented May 23, 2026
edited
Loading

📝 Walkthrough

Walkthrough

The PR updates the labeler.yml GitHub Actions workflow by refactoring permissions from a job-level configuration to a workflow-level configuration. The new permissions block explicitly grants contents: read and pull-requests: write at the workflow scope.

Changes

GitHub Actions Workflow Permissions Configuration

Layer / File(s) Summary
Workflow permissions relocation
.github/workflows/labeler.yml		 Permissions configuration moved from job-level to workflow-level, explicitly granting contents: read and pull-requests: write.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Poem

🐰 A workflow once hidden its keys in a job,
Now they're declared at the top, loud and clear! 🔑
Permissions flow freely from workflow to action—
Labeler hops faster without the confusion! ✨

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Title check ✅ Passed The title accurately and concisely describes the main change: moving the permissions block to workflow level to enable labeler on fork PRs.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Description check ✅ Passed The pull request description comprehensively covers all required sections with clear motivation and proper checklist completion.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch ci/labeler-fork-pr-permissions

Comment @coderabbitai help to get the list of available commands and usage tips.

@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented May 23, 2026

🚀 Changeset Version Preview

No changeset entries found. Merging this PR will not cause a version bump for any packages.

@nx-cloud
Copy link
Copy Markdown

nx-cloud Bot commented May 23, 2026
edited
Loading

View your CI Pipeline Execution ↗ for commit e759c42

Command Status Duration Result
nx run-many --target=build --exclude=examples/*... ✅ Succeeded <1s View ↗
nx affected --targets=test:sherif,test:knip,tes... ✅ Succeeded 28s View ↗

☁️ Nx Cloud last updated this comment at 2026-05-23 13:30:38 UTC

@sukvvon sukvvon self-assigned this May 23, 2026
@pkg-pr-new
Copy link
Copy Markdown

pkg-pr-new Bot commented May 23, 2026

More templates

@tanstack/angular-query-experimental

npm i https://pkg.pr.new/@tanstack/angular-query-experimental@10766

@tanstack/eslint-plugin-query

npm i https://pkg.pr.new/@tanstack/eslint-plugin-query@10766

@tanstack/lit-query

npm i https://pkg.pr.new/@tanstack/lit-query@10766

@tanstack/preact-query

npm i https://pkg.pr.new/@tanstack/preact-query@10766

@tanstack/preact-query-devtools

npm i https://pkg.pr.new/@tanstack/preact-query-devtools@10766

@tanstack/preact-query-persist-client

npm i https://pkg.pr.new/@tanstack/preact-query-persist-client@10766

@tanstack/query-async-storage-persister

npm i https://pkg.pr.new/@tanstack/query-async-storage-persister@10766

@tanstack/query-broadcast-client-experimental

npm i https://pkg.pr.new/@tanstack/query-broadcast-client-experimental@10766

@tanstack/query-core

npm i https://pkg.pr.new/@tanstack/query-core@10766

@tanstack/query-devtools

npm i https://pkg.pr.new/@tanstack/query-devtools@10766

@tanstack/query-persist-client-core

npm i https://pkg.pr.new/@tanstack/query-persist-client-core@10766

@tanstack/query-sync-storage-persister

npm i https://pkg.pr.new/@tanstack/query-sync-storage-persister@10766

@tanstack/react-query

npm i https://pkg.pr.new/@tanstack/react-query@10766

@tanstack/react-query-devtools

npm i https://pkg.pr.new/@tanstack/react-query-devtools@10766

@tanstack/react-query-next-experimental

npm i https://pkg.pr.new/@tanstack/react-query-next-experimental@10766

@tanstack/react-query-persist-client

npm i https://pkg.pr.new/@tanstack/react-query-persist-client@10766

@tanstack/solid-query

npm i https://pkg.pr.new/@tanstack/solid-query@10766

@tanstack/solid-query-devtools

npm i https://pkg.pr.new/@tanstack/solid-query-devtools@10766

@tanstack/solid-query-persist-client

npm i https://pkg.pr.new/@tanstack/solid-query-persist-client@10766

@tanstack/svelte-query

npm i https://pkg.pr.new/@tanstack/svelte-query@10766

@tanstack/svelte-query-devtools

npm i https://pkg.pr.new/@tanstack/svelte-query-devtools@10766

@tanstack/svelte-query-persist-client

npm i https://pkg.pr.new/@tanstack/svelte-query-persist-client@10766

@tanstack/vue-query

npm i https://pkg.pr.new/@tanstack/vue-query@10766

@tanstack/vue-query-devtools

npm i https://pkg.pr.new/@tanstack/vue-query-devtools@10766

commit: e759c42

@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented May 23, 2026

size-limit report 📦

Path Size
react full 12.1 KB (0%)
react minimal 9.07 KB (0%)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@sukvvon sukvvon

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@sukvvon