Add automatic PR labeling based on file changes and conventional commits

[Copilot]

Automatic Labeling Implementation - Review Comments Addressed ✅

Changes Made Based on Review Comments

Workflow Security Improvements:

• ✅ Removed repository-projects: write permission from labeler.yml (unnecessary for labeling)
• ✅ Removed pull-requests: write permission from setup-labels.yml (not needed for label management)
• ✅ Added persist-credentials: false to checkout step in labeler.yml (prevents credential persistence)
• ✅ Changed continue-on-error: true to conditional execution with if: steps.check-labels.outputs.missing_labels != 'true'

Documentation Updates:

• ✅ Updated permissions documentation in AUTOMATIC_LABELING.md to match actual workflow
• ✅ Fixed troubleshooting section to clarify fork PR support with pull_request_target
• ✅ Updated AUTOMATIC_LABELING_IMPLEMENTATION.md status claims to be factual rather than asserting pass results
• ✅ Updated security features section to accurately reflect workflow permissions

Configuration Fixes:

• ✅ Fixed label count validation in setup-labels.yml to use correct regex pattern for top-level keys

Review Comments Addressed

1. Comment 2809257669: Removed repository-projects: write - ✅ Fixed
2. Comment 2809257678: Changed error handling from continue-on-error to conditional - ✅ Fixed
3. Comment 2809257683: Updated documentation to match workflow permissions - ✅ Fixed
4. Comment 2809257685: Updated implementation doc security section - ✅ Fixed
5. Comment 2809257686: Added persist-credentials: false to checkout - ✅ Fixed
6. Comment 2809257691: Fixed label count regex pattern - ✅ Fixed
7. Comment 2809257695: Updated fork PR troubleshooting guidance - ✅ Fixed
8. Comment 2809257697: Rephrased status claims to be factual - ✅ Fixed
9. Comment 2809257700: Reduced setup-labels.yml permissions - ✅ Fixed

Validation

✅ YAML syntax validated for both workflows
✅ Permissions reduced to minimal scopes required
✅ Error handling improved with conditional execution
✅ Documentation aligned with actual implementation
✅ Security improvements applied (no credential persistence)

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

[Copilot]

Pull request overview

Adds an automated pull request labeling system to this static website repo, to improve PR triage and consistency using file-path rules plus conventional-commit style signals.

Changes:

• Introduces label rules in .github/labeler.yml (files, title, and body based matching + size labels).
• Adds workflows to (a) create/update the repo’s label catalog and (b) apply labels automatically on PR events.
• Documents setup/usage in .github/ docs and links the user guide from README.md.

Reviewed changes

Copilot reviewed 6 out of 6 changed files in this pull request and generated 9 comments.

Show a summary per file

File	Description
README.md	Links to the new automatic labeling documentation.
.github/workflows/setup-labels.yml	Manual workflow to create/update the repository label set.
.github/workflows/labeler.yml	PR workflow that applies labels automatically using actions/labeler.
.github/labeler.yml	Labeling rules for file patterns, PR title/body signals, and size labels.
.github/AUTOMATIC_LABELING.md	User-facing guide for how labeling works and how to troubleshoot.
.github/AUTOMATIC_LABELING_IMPLEMENTATION.md	Technical/implementation summary of the labeling system.

[Copilot]

Job permissions are broader than required for PR labeling. repository-projects: write is not needed to apply labels and increases the blast radius for a pull_request_target workflow; drop it and keep only the minimal scopes needed (typically pull-requests: write + issues: write, plus contents: read if checkout is retained).

Suggested change

repository-projects: write # Required for repository management

[Copilot]

continue-on-error: true on the labeling step will hide real failures (bad config, permission regression, action outage) and can silently stop applying labels. Consider failing the workflow on errors, or conditionally skipping labeling only when missing_labels is true and surfacing a clear failure otherwise.

Suggested change

	uses: actions/labeler@634933edcd8ababfe52f92936142cc22ac488b1b # v6.0.1
	with:
	repo-token: "${{ secrets.GITHUB_TOKEN }}"
	sync-labels: false # Don't sync labels to avoid permission issues
	configuration-path: .github/labeler.yml
	dot: true # Enable dotfiles processing
	continue-on-error: true # Continue even if some labels can't be created
	if: steps.check-labels.outputs.missing_labels != 'true'
	uses: actions/labeler@634933edcd8ababfe52f92936142cc22ac488b1b # v6.0.1
	with:
	repo-token: "${{ secrets.GITHUB_TOKEN }}"
	sync-labels: false # Don't sync labels to avoid permission issues
	configuration-path: .github/labeler.yml
	dot: true # Enable dotfiles processing

[Copilot]

The documented permissions don’t match the workflow. The labeler job currently also requests repository-projects: write, so the doc statement about “only has permissions for contents:read, pull-requests:write, issues:write” is incorrect; please align docs with the actual workflow permissions (or reduce the workflow permissions to match the doc).

Suggested change

	- Only has permissions for contents:read, pull-requests:write, issues:write
	- Uses the following permissions: `contents: read`, `pull-requests: write`, `issues: write`, `repository-projects: write`

[Copilot]

This section claims minimal permissions, but the actual workflow currently requests additional write scopes (e.g., repository-projects: write). Either reduce the workflow permissions to be minimal, or update this documentation to match the real permissions.

Suggested change

	- ✅ **Minimal permissions** (contents:read, pull-requests:write)
	- ✅ **Scoped permissions aligned with workflow needs** (contents:read, pull-requests:write, repository-projects:write)

[Copilot]

Because this runs on pull_request_target with write permissions, avoid persisting a write-capable token in the checkout. Use persist-credentials: false and remove the explicit token: unless it’s strictly required; this reduces risk if additional steps are added later.

Suggested change

	token: ${{ secrets.GITHUB_TOKEN }}
	persist-credentials: false

[Copilot]

The label count validation is incorrect: grep -E "^[a-z].*:" will also match nested YAML keys like any: and changed-files: (and will overcount). Use a pattern that matches only top-level keys (no indentation), or use yq to count the top-level mapping keys.

Suggested change

	# Count labels in config
	label_count=$(grep -E "^[a-z].*:" .github/labeler.yml | wc -l)
	# Count top-level, non-comment label keys in config
	label_count=$(grep -E '^[^[:space:]#][^:]*:' .github/labeler.yml | wc -l)

[Copilot]

This troubleshooting step is inaccurate: the workflow uses pull_request_target, so it can run for fork PRs as well (the key safety requirement is to avoid checking out/executing PR code). Update this guidance to reflect the actual behavior and the real security constraint.

Suggested change

	4. Ensure the PR is not from a fork (labeler only works on same-repo PRs for security)
	4. Confirm the labeler workflow run completed successfully for the PR (including fork PRs); the workflow uses `pull_request_target`, so it can label forks as long as it does **not** check out or execute untrusted PR code

[Copilot]

This document asserts outcomes that can’t be guaranteed over time (e.g., “Complete”, “Security Review: Passed (Code Review + CodeQL)”). These statements are likely to become stale/misleading; consider rephrasing to describe what is configured (e.g., “includes CodeQL/labeler hardening”) rather than claiming pass results.

Suggested change

	## 📋 Implementation Complete
	**Date:** 2026-02-15
	**Status:** ✅ Complete and Ready for Testing
	**Security Review:** ✅ Passed (Code Review + CodeQL)
	## 📋 Implementation Snapshot
	**As-of date:** 2026-02-15
	**Status:** Configuration implemented and available for testing
	**Security controls:** Code review process in place and CodeQL analysis configured for relevant workflows

[Copilot]

Workflow-level permissions are broader than needed for managing labels. gh label create/edit/delete operates on issue labels, so pull-requests: write is likely unnecessary here; consider limiting to contents: read (if checkout is required) and issues: write to follow least-privilege.

Suggested change

	# Enhanced permissions for label management
	permissions:
	contents: read
	issues: write
	pull-requests: write
	# Minimal permissions for label management (least privilege)
	permissions:
	contents: read
	issues: write

[pethers]

@copilot apply changes based on the comments in this thread

[Copilot]

@copilot apply changes based on the comments in this thread

All review comments addressed in commit 0393703:

Security improvements:

• Removed unnecessary repository-projects: write permission from labeler workflow
• Removed unnecessary pull-requests: write permission from setup-labels workflow
• Added persist-credentials: false to checkout step
• Changed error handling from continue-on-error to conditional execution

Documentation fixes:

• Updated permissions documentation to match actual workflows
• Fixed fork PR troubleshooting guidance to clarify pull_request_target behavior
• Rephrased implementation status to be factual rather than assertive
• Fixed label count validation regex pattern

All workflows validated with YAML syntax checks.

[sonarqubecloud]

Quality Gate failed

Failed conditions
C Security Rating on New Code (required ≥ A)

See analysis details on SonarQube Cloud

Catch issues before they fail your Quality Gate with our IDE extension SonarQube for IDE

[Copilot]

Pull request overview

Copilot reviewed 6 out of 6 changed files in this pull request and generated no new comments.