From 90a6706e08fe2c938e6fd4a76039bc548df1e12d Mon Sep 17 00:00:00 2001
From: bharvey88 <8107750+bharvey88@users.noreply.github.com>
Date: Wed, 10 Jun 2026 16:00:27 -0500
Subject: [PATCH] Run label-check and auto-assign via pull_request_target

Fork-submitted PRs get a read-only token on pull_request runs, so the
label and assignee bots fail with 403. pull_request_target runs in the
base repo context with a write token; safe here because neither job
checks out or executes PR code. Build jobs stay on pull_request. Trim
ci.yml permissions to what the builds need.
---
 .github/workflows/autoassign.yml  |  5 ++++-
 .github/workflows/ci.yml          |  7 -------
 .github/workflows/label-check.yml | 20 ++++++++++++++++++++
 3 files changed, 24 insertions(+), 8 deletions(-)
 create mode 100644 .github/workflows/label-check.yml

diff --git a/.github/workflows/autoassign.yml b/.github/workflows/autoassign.yml
index 604d6d5..d4895a8 100644
--- a/.github/workflows/autoassign.yml
+++ b/.github/workflows/autoassign.yml
@@ -1,8 +1,11 @@
 name: Auto Assign
+# pull_request_target (not pull_request) so assignment works on
+# fork-submitted PRs; fork pull_request runs get a read-only token.
+# Safe because this workflow never checks out or executes PR code.
 on:
   issues:
     types: [opened]
-  pull_request:
+  pull_request_target:
     types: [opened]
 jobs:
   run:
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index f02c6d7..ccdea2d 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -3,17 +3,10 @@ on:
   pull_request:
 
 permissions:
-  # Allow GITHUB_TOKEN to add labels to pull requests
-  pull-requests: write
-  issues: write
   contents: read
   id-token: write
 
 jobs:
-  label-check:
-    name: Label Check
-    uses: ApolloAutomation/Workflows/.github/workflows/label-check.yml@main
-    
   ci:
     name: Building ${{ matrix.file }} / ESPHome ${{ matrix.esphome-version }}
     runs-on: ubuntu-latest
diff --git a/.github/workflows/label-check.yml b/.github/workflows/label-check.yml
new file mode 100644
index 0000000..96a9751
--- /dev/null
+++ b/.github/workflows/label-check.yml
@@ -0,0 +1,20 @@
+name: Label Check
+
+# pull_request_target (not pull_request) so the job gets a write token on
+# fork-submitted PRs too; plain pull_request runs from forks are read-only
+# and cannot add labels. Safe because the called workflow only reads the PR
+# body and never checks out or executes PR code. The "edited" type re-runs
+# the check when the template checkboxes are changed.
+on:
+  pull_request_target:
+    types: [opened, edited, reopened, synchronize]
+
+permissions:
+  pull-requests: write
+  issues: write
+  contents: read
+
+jobs:
+  label-check:
+    name: Label Check
+    uses: ApolloAutomation/Workflows/.github/workflows/label-check.yml@main