fix: run required labels on pull_request_target

[Kaiser-Wu]

What changed

• switch the required-labels workflow trigger from pull_request to pull_request_target
• document why the workflow is safe to run in the base repository context

Why

Fork-based PRs currently fail the label check with Resource not accessible by integration because the workflow tries to comment on the PR while running under the restricted pull_request token.

This workflow only inspects PR metadata and does not check out or execute PR code, so pull_request_target is the appropriate trigger.

Validation

• ruby -e 'require "yaml"; YAML.load_file(".github/workflows/required-labels.yml"); puts "ok"'

[CLAassistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}

[coderabbitai]

📝 Walkthrough

Walkthrough

Updated the GitHub Actions workflow trigger in the required-labels configuration from pull_request to pull_request_target to safely inspect PR metadata without checking out PR code, and fixed file formatting by adding a trailing newline.

Changes

Cohort / File(s)	Summary
Workflow Configuration .github/workflows/required-labels.yml	Changed trigger from pull_request to pull_request_target with documentation comments explaining the security benefit of inspecting PR metadata without checking out code. Added trailing newline to file ending.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Poem

🐰 A workflow shift, so safe and sound,
From pull_request to target bound,
No code checked out, just metadata bright,
With newlines trimmed and formatting right!

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately summarizes the main change: switching the required-labels workflow trigger from pull_request to pull_request_target.
Description check	✅ Passed	The description clearly explains what changed, why the change was necessary, and how it was validated, all directly related to the changeset.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/required-labels.yml:
- Line 5: The workflow currently uses the mutable tag
mheap/github-action-required-labels@v5; replace that mutable ref with a full
commit SHA to pin the action and mitigate supply-chain risk. Locate the step
that references mheap/github-action-required-labels@v5 and update the uses value
to mheap/github-action-required-labels@<full-commit-sha> (obtain the SHA from
the action repo’s commit history or the release you intend to pin), then commit
the change so the workflow references the immutable commit SHA instead of the v5
tag.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: d8f0728c-af15-4ba1-bf15-aed75a753cb3

📥 Commits

Reviewing files that changed from the base of the PR and between a1dad15 and fcf565b.

📒 Files selected for processing (1)

• .github/workflows/required-labels.yml

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify whether workflow actions are pinned to full commit SHAs.
# Expected: no matches after remediation.

rg -nP --type=yaml '^\s*-\s*uses:\s*[^@]+@(?!(?:[a-f0-9]{40})$).+' .github/workflows

Repository: coze-dev/coze-java

Length of output: 431

---

🏁 Script executed:

cat -n .github/workflows/required-labels.yml

Repository: coze-dev/coze-java

Length of output: 1035

---

Pin the action to a commit SHA to mitigate supply-chain risk.

This workflow uses pull_request_target with write permissions on line 5. The action at line 14 (mheap/github-action-required-labels@v5) is pinned to a mutable ref, which creates a supply-chain vulnerability. Pin to a full commit SHA instead.

Suggested fix

-      - uses: mheap/github-action-required-labels@v5
+      - uses: mheap/github-action-required-labels@<full_commit_sha>

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/required-labels.yml at line 5, The workflow currently uses
the mutable tag mheap/github-action-required-labels@v5; replace that mutable ref
with a full commit SHA to pin the action and mitigate supply-chain risk. Locate
the step that references mheap/github-action-required-labels@v5 and update the
uses value to mheap/github-action-required-labels@<full-commit-sha> (obtain the
SHA from the action repo’s commit history or the release you intend to pin),
then commit the change so the workflow references the immutable commit SHA
instead of the v5 tag.