This is general "write" permissions to the repository, or is there something more granular for applying labels only? 😓

So this is interesting.

PR docs:

Pull requests are a type of issue. Any actions that are available in both pull requests and issues, like managing assignees, labels, and milestones, are provided by the REST API to manage issues

Then I found this:
https://github.com/orgs/community/discussions/13565#discussioncomment-4915757

So we can only get to issues: write which I suppose has a smaller blast radius but that's as much granularity as we can currently get out of GH. I am not sure it's worth changing. Is it?

Hmm good one. If that works for both issues and PRs, perhaps we should?

I knew issues and PRs were the same behind the scenes; there's even an API to convert an issue to a PR! (or at least, there used to be one)

Oh, or is changing that widening the scope? (currently only label PR's but with that change both issues and PRs?)

I feel like it's widening the scope but on things that may be less harmful per see i.e. full write scope on PR can change the code in the PR (if compromised) but the full issue scope can't, though it can change anything in issues.
Dunno, seems like a bit of a stalemate and we'll have to make a compromise

Yeah, my concern is indeed about the code (git repository). Widening scope to both issues and PRs is fine, but if one of those options means "but don't allow write access to the git repository", that's what I'd like.

@crazy-max any recommendations?

This is fine as long as we don't "Checkout" the repository and/or don't do any git operations which is the case with actions/labeler. We have done the same with @dvdksn, see docker/docs#18738

PTAL @thaJeztah 😄

Not needed

removed 😄