fix: Move PR size labeler to dedicated workflow (#1816)

osterman · claude · web-flow · commit 154490bfbdcc · 2025-11-28T16:54:49.000-05:00
* fix: Move PR size labeler to dedicated workflow with elevated permissions Move the pr-size-labeler job from codeql.yml to a new dedicated workflow that uses pull_request_target event. This grants write permissions needed to label PRs from forks, fixing the 403 error for non-member contributors. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> * chore: Remove redundant job name from pr-size-labeler workflow 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> * chore: Rename job ID for cleaner workflow display Changes job ID from "pr-size-labeler" to "label" so the GitHub Actions UI shows "PR Size Labeler / label" instead of redundant naming. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> --------- Co-authored-by: Claude <noreply@anthropic.com>
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -205,35 +205,3 @@ jobs:
             > {{ provided }}
             > ```
             > You'll need to add one before this PR can be merged.
-
-  pr-size-labeler:
-    name: PR Size Labeler
-    if: github.event_name == 'pull_request'
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-      pull-requests: write
-      issues: write
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@v4
-
-      - name: PR Size Labeler
-        uses: ./.github/actions/pr-sizer
-        with:
-          xs_label: "size/xs"
-          xs_max_size: "10"
-          s_label: "size/s"
-          s_max_size: "100"
-          m_label: "size/m"
-          m_max_size: "500"
-          l_label: "size/l"
-          l_max_size: "1000"
-          xl_label: "size/xl"
-          fail_if_xl: "false"
-          files_to_ignore: |
-            package-lock.json
-            yarn.lock
-            go.sum
-          ignore_line_deletions: "false"
-          ignore_file_deletions: "false"
diff --git a/.github/workflows/pr-size-labeler.yml b/.github/workflows/pr-size-labeler.yml
@@ -0,0 +1,43 @@
+name: "PR Size Labeler"
+
+# Use pull_request_target to get write permissions for PRs from forks.
+# This is safe because we only use the GitHub API to read file metadata -
+# we never checkout or execute code from the PR.
+on:
+  pull_request_target:
+    types: [opened, synchronize, reopened]
+
+jobs:
+  label:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
+      issues: write
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          # Checkout the base branch (not the PR head) for security.
+          # We only need the action definition from .github/actions/pr-sizer/
+          ref: ${{ github.base_ref }}
+
+      - name: PR Size Labeler
+        uses: ./.github/actions/pr-sizer
+        with:
+          xs_label: "size/xs"
+          xs_max_size: "10"
+          s_label: "size/s"
+          s_max_size: "100"
+          m_label: "size/m"
+          m_max_size: "500"
+          l_label: "size/l"
+          l_max_size: "1000"
+          xl_label: "size/xl"
+          fail_if_xl: "false"
+          files_to_ignore: |
+            package-lock.json
+            yarn.lock
+            go.sum
+          ignore_line_deletions: "false"
+          ignore_file_deletions: "false"
