docs: note contents:read requirement in pr-labeler-reusable header

[bryanbeverly]

Summary

Update the header comment in pr-labeler-reusable.yml to reflect what callers actually need to grant. It previously said Callers must grant: pull-requests: write, which is now incomplete: the labeler also reads CODEOWNERS via the Contents API to compute domain/* labels, which requires contents: read. Since a declared permissions: block sets unlisted scopes to none, a caller granting only pull-requests: write silently disables domain labeling.

Also refreshes the stale "size/risk/checkbox" description to "size/risk/template/domain" (the template moved to yes/no; checkbox is now only a parsing fallback).

Comment-only change; no behavior change. Addresses review feedback on trufflesecurity/slack-integration-service#581.

Review guidance

• Urgent (needs same-day review): no
• High complexity (non-obvious logic, careful review): no
• Key files to focus on: .github/workflows/pr-labeler-reusable.yml

Testing

Comment-only; no runtime impact. The matching caller-permission change (contents: read) is being merged per consumer repo (e.g. slack-integration-service#581), and the operator docs are updated in trufflesecurity/.github-private#11.

Deployment notes

None -- comment-only.

---

Note

Low Risk
Comment-only documentation in a workflow file; no runtime or permission behavior changes in this repo.

Overview
Updates the header comment on PR Labeler (Reusable) so caller permission requirements match current behavior—no workflow logic changes.

The comment now says callers must grant contents: read (to read CODEOWNERS for domain/* labels) in addition to pull-requests: write, and explains that omitting contents: read when declaring permissions: can silently break domain labeling. It also renames the described scope from “size/risk/checkbox” to size/risk/template/domain, aligned with how the labeler works today.

^{Reviewed by Cursor Bugbot for commit 0339048. Bugbot is set up for automated code reviews on this repo. Configure here.}