Problem
Contributors who open a PR from a fork have no write/triage permission on
this repo, so they cannot add labels to their own PR. Today the maintainer has to
label every fork PR by hand, and the contribution arrives unlabelled.
Proposed solution — auto-label via GitHub Actions
Add a workflow that applies labels automatically, alongside the existing CI under
.github/workflows/.
Path-based labelling with actions/labeler:
- Trigger on
pull_request_target (not pull_request). This runs in the
base repo's context, so it has the permissions needed to label PRs that
originate from forks — pull_request from a fork would not.
- Drive it from a
.github/labeler.yml mapping changed paths → existing labels,
e.g.:
tokenline.sh, install.sh → area:statusline
src/** → area:installer
.github/**, CI/scripts → area:tooling
- docs/
README* → area:meta
- Grant the job
permissions: { pull-requests: write, contents: read }.
Optional add-ons:
- Label by PR title (Conventional Commits → type), e.g.
feat: → feature,
fix: → bug, refactor: → refactor.
- Apply a default
needs:triage label so nothing slips through unlabelled.
Security note
pull_request_target runs with the base repo's secrets and write token. This is
safe for labelling because actions/labeler only reads the PR's file list —
it does not check out or execute the fork's code. Do not add steps under
this trigger that build or run untrusted PR code.
Acceptance criteria
- A PR opened from a fork that touches
tokenline.sh automatically receives
area:statusline (no maintainer action).
- The workflow uses
pull_request_target with pull-requests: write.
- No step under that trigger checks out or executes fork code.
Problem
Contributors who open a PR from a fork have no write/triage permission on
this repo, so they cannot add labels to their own PR. Today the maintainer has to
label every fork PR by hand, and the contribution arrives unlabelled.
Proposed solution — auto-label via GitHub Actions
Add a workflow that applies labels automatically, alongside the existing CI under
.github/workflows/.Path-based labelling with
actions/labeler:pull_request_target(notpull_request). This runs in thebase repo's context, so it has the permissions needed to label PRs that
originate from forks —
pull_requestfrom a fork would not..github/labeler.ymlmapping changed paths → existing labels,e.g.:
tokenline.sh,install.sh→area:statuslinesrc/**→area:installer.github/**, CI/scripts →area:toolingREADME*→area:metapermissions: { pull-requests: write, contents: read }.Optional add-ons:
feat:→feature,fix:→bug,refactor:→refactor.needs:triagelabel so nothing slips through unlabelled.Security note
pull_request_targetruns with the base repo's secrets and write token. This issafe for labelling because
actions/labeleronly reads the PR's file list —it does not check out or execute the fork's code. Do not add steps under
this trigger that build or run untrusted PR code.
Acceptance criteria
tokenline.shautomatically receivesarea:statusline(no maintainer action).pull_request_targetwithpull-requests: write.