fix: run required labels on pull_request_target

[Kaiser-Wu]

What changed

• switch the required-labels workflow trigger from pull_request to pull_request_target
• document why the workflow is safe to run in the base repository context

Why

Fork-based PRs currently fail the label check with Resource not accessible by integration because the workflow tries to comment on the PR while running under the restricted pull_request token.

This workflow only inspects PR metadata and does not check out or execute PR code, so pull_request_target is the appropriate trigger.

Validation

• ruby -e 'require "yaml"; YAML.load_file(".github/workflows/required-labels.yml"); puts "ok"'

[CLAassistant]

All committers have signed the CLA.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 3653f03a-8200-40a9-a09f-dffe241fb9ad

📥 Commits

Reviewing files that changed from the base of the PR and between fcf565b and 976119f.

📒 Files selected for processing (1)

• .github/workflows/required-labels.yml

🚧 Files skipped from review as they are similar to previous changes (1)

• .github/workflows/required-labels.yml

---

📝 Walkthrough

Walkthrough

Changed the GitHub Actions workflow trigger from pull_request to pull_request_target, pinned the mheap/github-action-required-labels action to a specific commit SHA, and ensured the YAML file ends with a trailing newline.

Changes

Cohort / File(s)	Summary
Workflow Configuration \.github/workflows/required-labels.yml	Replaced trigger pull_request → pull_request_target; added comments clarifying it runs in the base repo context and only inspects PR metadata; pinned mheap/github-action-required-labels from @v5 to a commit SHA; added trailing newline to file.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

🐰 I nudged the trigger, swift and neat,
Pinned a hash so versions meet,
Metadata checked from home, not guest,
A tidy newline—now at rest 🥕

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'fix: run required labels on pull_request_target' directly and accurately summarizes the main change in the changeset.
Description check	✅ Passed	The description clearly explains the changes made, the reason for the workflow trigger switch, and includes validation evidence, all directly related to the changeset.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/required-labels.yml:
- Line 5: The workflow currently uses the mutable tag
mheap/github-action-required-labels@v5; replace that mutable ref with a full
commit SHA to pin the action and mitigate supply-chain risk. Locate the step
that references mheap/github-action-required-labels@v5 and update the uses value
to mheap/github-action-required-labels@<full-commit-sha> (obtain the SHA from
the action repo’s commit history or the release you intend to pin), then commit
the change so the workflow references the immutable commit SHA instead of the v5
tag.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: d8f0728c-af15-4ba1-bf15-aed75a753cb3

📥 Commits

Reviewing files that changed from the base of the PR and between a1dad15 and fcf565b.

📒 Files selected for processing (1)

• .github/workflows/required-labels.yml