Creating labels seems to require new permission

[UncleSamSwiss]

Describe the bug

Running your action causes the following error:

Run # Label PR.
gh: You do not have permission to create labels on this repository. (HTTP 403)
Error: Process completed with exit code 1.

According to googleapis/release-please-action#1105 (comment) adding issues: write solves this.

permissions:
  actions: read        # Required to identify workflow run.
  checks: write        # Required to add status summary.
  contents: read       # Required to checkout repository.
  pull-requests: write # Required to add comment .
+ issues: write        # Required to add label.

To Reproduce

1. Create a workflow with these permissions and this step:

jobs:
  deploy:
    permissions:
      actions: read
      checks: write
      contents: read
      pull-requests: write

    steps:
     ...
      - uses: op5dev/tf-via-pr@v13
        with:
          working-directory: terraform
          command: ${{ github.event_name == 'pull_request' && 'plan' || 'apply' }}
          validate: true
          arg-lock: ${{ github.event_name != 'pull_request' }}

2. Run workflow
3. Error happens

Expected behavior

Job shouldn't fail when creating the label.

Documentation and examples mention additional required permission.

[rdhar]

Great spot, @UncleSamSwiss, thanks for raising!

This is a frustrating one because it seems like a recent, unannounced change, and it hasn't even been reflected in GitHub's API documentation yet. So there's no telling if it'll revert back to supporting pull-requests: write or if issues: write is the only way forward.

Personally, I'm apprehensive of requiring yet another permission. I think it's a lot to ask of end-users to trust their infrastructure provisioning to a random GitHub Action, so every effort is made to reduce our scope/footprint.

That being said, I agree that the Action shouldn't fail the workflow as a whole just because it couldn't create/apply a PR label. Until this is patched in the next release (you'll be the first to be notified), as a workaround, it's possible to pass in label-pr: false to skip labelling altogether.

[rdhar]

Happy to see this shipped with v13.3.2 (v13), where your contribution has been credited!

Please consider ⭐ this project, if you or your team find it useful.

---

@UncleSamSwiss Thank you for bringing this to light as well as well as linking to the issues: write source! If this additional permission isn't present, then the Action will now suppress the error and continue as-is. Over the next few weeks, we'll keep an eye on GitHub's API docs to track any changes and amend TF-via-PR's documentation accordingly. Fingers-crossed that pull-requests: write is restored access so no more additional access is required. 🤞