Fix label-check and auto-assign on fork PRs

[bharvey88]

Version: N/A (workflows only, does not publish)

What does this implement/fix?

Fixes the Label Check and Auto Assign failures on fork-submitted PRs (seen on the CO2 auto calibration PR).

Workflows triggered by pull_request from a fork run with a read-only token, so actions-ecosystem/action-add-labels and pozil/auto-assign-issue fail with 403 Resource not accessible by integration. Moving those two jobs to pull_request_target runs them in the base repo's context with a write token.

• Label Check moves out of ci.yml into its own label-check.yml on pull_request_target (with edited in the trigger types, so fixing a checkbox re-runs the check). The firmware build jobs stay on pull_request, since they compile PR-controlled YAML and must never get a write token.
• autoassign.yml switches its PR trigger to pull_request_target (issues trigger unchanged).
• ci.yml permissions are trimmed to what the build jobs need.

This is safe because neither moved job checks out or executes PR code. Depends on ApolloAutomation/Workflows#24, which hardens the reusable label-check against script injection from the PR body; that PR should merge first.

Same fix is rolling out to every device repo with these workflows: AIR-1, MSR-2, MTR-1, R_PRO-1, PLT-1, TEMP-1, BTN-1, H-1, H-2, MSR-1, and PUMP-1.

Types of changes

• Bugfix (fixed change that fixes an issue)
• New feature (thanks!)
• Breaking change (repair/feature that breaks existing functionality)
• Dependency Update - Does not publish
• Other - Does not publish
• Website of github readme file update - Does not publish
• Github workflows - Does not publish

Checklist / Checklijst:

• The code change has been tested and works locally
• The code change has not yet been tested

If user-visible functionality or configuration variables are added/modified:

• Added/updated documentation for the web page

🤖 Generated with Claude Code

Summary by CodeRabbit

• Chores
  • Updated GitHub Actions workflow permissions for enhanced security
  • Modified pull request automation to better handle fork submissions
  • Added a new label checking workflow for pull requests

[coderabbitai]

Walkthrough

GitHub Actions workflows are refactored to improve security: a new dedicated label-check.yml workflow handles label validation with explicit permissions and pull_request_target triggering, the main ci.yml workflow has its permissions tightened to minimal scope (contents:read, id-token:write) and removes the label-check job, and autoassign.yml switches to pull_request_target for fork-safe PR assignment.

Changes

Workflow Security Refactoring

Layer / File(s)	Summary
Extract label-check workflow and tighten CI permissions .github/workflows/label-check.yml, .github/workflows/ci.yml	New label-check.yml workflow delegates to an external reusable workflow with explicit pull-requests: write and issues: write permissions on pull_request_target events. The ci.yml workflow removes the label-check job definition and restricts permissions to contents: read and id-token: write only.
Secure PR assignment for fork submissions .github/workflows/autoassign.yml	The PR trigger switches from pull_request to pull_request_target with added inline comments documenting fork behavior and workflow safety assumptions, while the issues trigger for opened events remains unchanged.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

🐰 Workflows now wear tighter belts,
Each task gets its own domain,
Fork submissions handled safe,
GitHub Actions made quite plain. ✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main changes: switching label-check and auto-assign workflows to use pull_request_target to fix permissions issues on fork PRs.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix-fork-pr-workflows

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[TrevorSchirmer]

@coderabbitai help

[coderabbitai]

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.

CodeRabbit commands

These commands are invoked using PR/Issue comments.

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai rate limit to show your current review rate limit status.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai evaluate custom pre-merge check --instructions <custom-checks-instructions> --name <custom-checks-title> [--mode <error|warning>] to validate the custom pre-merge checks instructions. Defaults to error when --mode is omitted.
• @coderabbitai ignore pre-merge checks to override pre-merge checks and get an approval on PR.
• @coderabbitai run pre-merge checks to run pre-merge checks on the pull request.
• @coderabbitai generate docstrings to generate docstrings for this PR.
• @coderabbitai generate sequence diagram to generate a sequence diagram of the changes in this PR.
• @coderabbitai generate unit tests to generate unit tests for this PR.
• @coderabbitai emit path instructions to emit generated path-specific review instructions for this repository.
• @coderabbitai resolve merge conflict to automatically resolve merge conflicts.
• @coderabbitai autofix to automatically fix issues identified in unresolved review comments.
• @coderabbitai resolve to resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai generate configuration to create a PR that adds the current resolved configuration as .coderabbit.yaml (or show it if already present).
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore or @coderabbit ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit configuration file (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• You can also validate your configuration using the online YAML validator.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Status, support, documentation and community

• Visit our status page to check the current availability of CodeRabbit.
• Create a ticket on our support page for assistance with any issues or questions.
• Visit our documentation site for detailed information on how to use CodeRabbit.
• Join our Discord community to connect with other users and get help from the community.
• Follow us on X/Twitter for updates and announcements.

[TrevorSchirmer]

@coderabbitai review

[coderabbitai]

✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[TrevorSchirmer]

@coderabbitai full review

[coderabbitai]

✅ Action performed

Full review finished.

[TrevorSchirmer]

@coderabbitai full review

[coderabbitai]

✅ Action performed

Full review finished.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/label-check.yml:
- Around line 18-20: The workflow uses external reusable actions via the `uses:`
keys (e.g., the `label-check` job referencing
`ApolloAutomation/Workflows/.github/workflows/label-check.yml@main` and the
other workflow referencing `pozil/auto-assign-issue@v2`); replace those
branch/tag refs with immutable full commit SHAs (obtain the commit SHA for the
target repo/branch and update the `uses:` values to
`owner/repo/path@<full-sha>`), and audit transitive reusable workflows/actions
referenced by those workflows to ensure any nested `uses:` are also pinned to
full SHAs rather than branches or tags.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 9959a411-cdfe-4d53-8884-0006c36e2f8f

📥 Commits

Reviewing files that changed from the base of the PR and between 623f8cb and bb25a90.

📒 Files selected for processing (3)

• .github/workflows/autoassign.yml
• .github/workflows/ci.yml
• .github/workflows/label-check.yml

💤 Files with no reviewable changes (1)

• .github/workflows/ci.yml

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# List workflow files
echo "== Workflows =="
ls -la .github/workflows || true
echo

# Show label-check.yml around stated lines
echo "== label-check.yml (head) =="
sed -n '1,120p' .github/workflows/label-check.yml || true
echo
echo "== label-check.yml (lines 1-60 with numbers) =="
nl -ba .github/workflows/label-check.yml | sed -n '1,80p' || true
echo

# Find and show autoassign.yml (if exists)
if [ -f .github/workflows/autoassign.yml ]; then
  echo "== autoassign.yml (head) =="
  sed -n '1,160p' .github/workflows/autoassign.yml
  echo
  echo "== autoassign.yml (lines 1-120 with numbers) =="
  nl -ba .github/workflows/autoassign.yml | sed -n '1,140p'
else
  echo "== autoassign.yml not found =="
  rg -n --hidden "autoassign" .github/workflows || true
fi

# Check for pull_request_target workflows and permissions/write tokens
echo
echo "== pull_request_target workflows =="
rg -n --hidden "pull_request_target:" .github/workflows || true
echo

echo "== permissions blocks under pull_request_target =="
# Print files and nearby lines for permissions
rg -n --hidden -U "pull_request_target:([^\n]*\n){0,30}[[:space:]]*permissions:" .github/workflows || true
echo

# Check external uses refs in those files
echo "== External uses in label-check.yml =="
rg -n --hidden "uses:" .github/workflows/label-check.yml || true
echo
echo "== External uses in autoassign.yml =="
if [ -f .github/workflows/autoassign.yml ]; then
  rg -n --hidden "uses:" .github/workflows/autoassign.yml || true
fi
echo

# Also search any other workflow using pull_request_target with external uses
echo "== Other pull_request_target jobs with uses: (all workflows) =="
rg -n --hidden -U "pull_request_target:[\s\S]*?uses:\s" .github/workflows || true

Repository: ApolloAutomation/PUMP-1

Length of output: 1999

---

🌐 Web query:

ApolloAutomation/Workflows#24 hardening pin commit SHA label-check reusable workflow

💡 Result:

There is no public GitHub issue #24 in the ApolloAutomation/Workflows repository, as this repository does not appear to exist [1][2]. Apollo Automation is a home automation hardware company [3], and its GitHub organization (ApolloAutomation) focuses on device firmware and integration tools [1][3]. The query appears to conflate a common supply-chain security best practice—hardening reusable workflows by pinning actions and internal references to commit SHAs—with the "Apollo" name. Pinning to full-length commit SHAs is a critical security measure to prevent supply-chain attacks, as it ensures that workflow code is immutable and cannot be altered by force-pushing tags or branches [4][5][6]. If you are implementing this hardening pattern in your own workflows, current industry best practices involve [4][5][6][7]: 1. Pinning all actions and reusable workflows to full 40-character commit SHAs (e.g., uses: actions/checkout@de0fac2e...). 2. Performing audit checks on the call graph to ensure that transitive reusable workflows are also pinned to SHAs [4]. 3. Avoiding mutable references like branches (main, master) or tags (v1, v2) in production CI/CD pipelines [8][5][6]. For context, Apollo Automation's GitHub organization does exist [1], but its repository structure is dedicated to hardware projects like AIR-1, MSR-1, and MSR-2 [1], rather than generic workflow automation libraries [1][3]. Additionally, there is a separate entity/project named "Apollo-Workflows" that focuses on academic or scientific workflow choreography [9][10], but it is unrelated to Apollo Automation's hardware business [3].

Citations:

• 1: https://github.com/orgs/ApolloAutomation/repositories
• 2: https://github.com/ApolloAutomation/docs
• 3: https://wiki.apolloautomation.com/
• 4: https://www.systemshardening.com/articles/cicd/github-actions-reusable-workflow-pinning-audit/
• 5: https://www.systemshardening.com/articles/cicd/github-actions-supply-chain-hardening/
• 6: https://www.wiz.io/blog/github-actions-security-guide
• 7: github-community-projects/ospo-reusable-workflows@23927bf
• 8: praetorian-inc/public-workflows@9ea060d
• 9: https://github.com/Apollo-Workflows/Overview
• 10: https://github.com/Apollo-Workflows/Sentiment-Analysis

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "== pull_request_target workflows using external uses: (all workflows) =="
rg -n --hidden -U "pull_request_target:|uses:" .github/workflows/*.yml || true

echo
echo "== label-check.yml external uses ref =="
rg -n --hidden "uses:" .github/workflows/label-check.yml || true

echo
echo "== autoassign.yml external uses ref =="
rg -n --hidden "uses:" .github/workflows/autoassign.yml || true

Repository: ApolloAutomation/PUMP-1

Length of output: 1020

---

Pin external uses: refs in pull_request_target workflows to immutable commit SHAs

.github/workflows/label-check.yml uses the external reusable workflow ApolloAutomation/Workflows/.github/workflows/label-check.yml@main, and .github/workflows/autoassign.yml uses pozil/auto-assign-issue@v2, both under pull_request_target with write permissions—pin these uses: references to full commit SHAs (and ensure transitive reusable workflows/actions are pinned too).

🧰 Tools

🪛 zizmor (1.25.2)

[error] 20-20: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/label-check.yml around lines 18 - 20, The workflow uses
external reusable actions via the `uses:` keys (e.g., the `label-check` job
referencing `ApolloAutomation/Workflows/.github/workflows/label-check.yml@main`
and the other workflow referencing `pozil/auto-assign-issue@v2`); replace those
branch/tag refs with immutable full commit SHAs (obtain the commit SHA for the
target repo/branch and update the `uses:` values to
`owner/repo/path@<full-sha>`), and audit transitive reusable workflows/actions
referenced by those workflows to ensure any nested `uses:` are also pinned to
full SHAs rather than branches or tags.

Source: Linters/SAST tools