diff --git a/.github/issue-labeler.yml b/.github/issue-labeler.yml
index 5a685d6d4..44e1c951c 100644
--- a/.github/issue-labeler.yml
+++ b/.github/issue-labeler.yml
@@ -1,16 +1,21 @@
 # Configuration for github/issue-labeler - body-based labels
 # See: https://github.com/github/issue-labeler
 # Uses regex patterns to match PR/issue body content
-# Note: [xX] matches both lowercase and uppercase X in checkboxes
+# All checkbox patterns require ## Type of change header first to avoid matching examples
 ---
 bug:
-  - '\[[xX]\]\s*[Bb]ugfix'
+  - '## Type of change[\s\S]*?- \[[xX]\]\s*[Bb]ugfix'
 
 enhancement:
-  - '\[[xX]\]\s*[Nn]ew [Ff]eature'
+  - '## Type of change[\s\S]*?- \[[xX]\]\s*[Nn]ew [Ff]eature'
 
 breaking-change:
-  - '\[[xX]\]\s*[Bb]reaking [Cc]hange'
+  # Checkbox in Type of change section
+  - '## Type of change[\s\S]*?- \[[xX]\]\s*[Bb]reaking [Cc]hange'
+  # Breaking change section with content after HTML comment
+  - '^[\s\S]*?# Breaking change[\s\S]*?-->\s*\n+[A-Z][a-z]+[\s\S]*?## Proposed change'
+  # Breaking change section with HTML comment removed
+  - '^[\s\S]*?# Breaking change\s*\n+[A-Z][a-z]+[\s\S]*?## Proposed change'
 
 code-quality:
-  - '\[[xX]\]\s*[Cc]ode [Qq]uality'
+  - '## Type of change[\s\S]*?- \[[xX]\]\s*[Cc]ode [Qq]uality'
diff --git a/.github/workflows/repository.yaml b/.github/workflows/repository.yaml
index aa8a85034..78f1bddd5 100644
--- a/.github/workflows/repository.yaml
+++ b/.github/workflows/repository.yaml
@@ -5,24 +5,11 @@ name: Repository
 on:
   push:
     branches: [main]
-  pull_request:
-    types:
-      - edited
-      - labeled
-      - opened
-      - reopened
-      - synchronize
-      - unlabeled
-  # pull_request_target is needed for fork PRs - it runs in the base repo context
-  # with elevated permissions required for pull-requests: write
+  # pull_request_target runs in base repo context with write permissions,
+  # needed for fork PRs. Safe for auto-merge since it only runs for trusted
+  # actors (dependabot, pre-commit-ci, or manually labeled PRs).
   pull_request_target:
-    types:
-      - edited
-      - labeled
-      - opened
-      - reopened
-      - synchronize
-      - unlabeled
+    types: [edited, labeled, opened, reopened, synchronize, unlabeled]
   workflow_dispatch:
 
 permissions:
@@ -54,10 +41,10 @@ jobs:
   auto-merge:
     name: Auto Merge
     runs-on: ubuntu-latest
-    # Only run on pull_request events (not push, pull_request_target, or workflow_dispatch)
+    # Only run on pull_request_target events (not push or workflow_dispatch)
     # and only for dependabot, pre-commit-ci, or PRs with auto-merge label
     if: >-
-      github.event_name == 'pull_request' && (
+      github.event_name == 'pull_request_target' && (
         github.event.pull_request.user.login == 'dependabot[bot]' ||
         github.event.pull_request.user.login == 'pre-commit-ci[bot]' ||
         contains(github.event.pull_request.labels.*.name, 'auto-merge')