Fix labeler workflow for fork PRs using workflow_run pattern

[Copilot]

The labeler workflow fails on fork PRs because pull_request events from forks receive read-only GITHUB_TOKEN, preventing label writes.

Changes

Split into two workflows using workflow_run pattern:

Trigger workflow (labeler.yml)

• Runs on pull_request (opened, reopened, synchronize)
• Saves PR number as artifact
• No write permissions needed

Apply workflow (labeler_apply.yml)

• Triggers via workflow_run after trigger completes
• Runs in base repo context with write permissions
• Downloads PR number artifact via dawidd6/action-download-artifact
• Calculates PR size using actions/github-script:
  • Sums additions + deletions across all files (with pagination)
  • Applies size label: xs ≤10, s ≤100, m ≤500, l ≤1000, xl >1000
  • Removes previous size labels before applying new one
  • Posts XL warning comment (idempotent check prevents duplicates)

Implementation notes

• Pagination handles PRs with >100 files
• Error handling for label removal edge cases
• XL warning message unchanged from original
• No workflow failure on XL PRs (fail_if_xl: false)

Original prompt

Problem

The current labeler workflow (.github/workflows/labeler.yml) doesn't work when PRs are opened from forks because the GITHUB_TOKEN for pull_request events from forks only gets read-only permissions, causing the label write to fail.

The current workflow triggers directly on pull_request and tries to write labels with pull-requests: write permission, which is not granted for fork PRs:

name: labeler

on: [pull_request]

jobs:
  labeler:
    permissions:
      pull-requests: write
      contents: read
      issues: write
    runs-on: ubuntu-latest
    name: Label the PR size
    steps:
      - uses: codelytv/pr-size-labeler@4ec67706cd878fbc1c8db0a5dcd28b6bb412e85a # v1
        with:
          xs_label: "size/xs"
          xs_max_size: "10"
          s_label: "size/s"
          s_max_size: "100"
          m_label: "size/m"
          m_max_size: "500"
          l_label: "size/l"
          l_max_size: "1000"
          xl_label: "size/xl"
          fail_if_xl: "false"
          message_if_xl: >
            This PR exceeds the recommended size of 1000 lines.
            Please make sure you are NOT addressing multiple issues with one PR.
            Note this PR might be rejected due to its size.
          github_api_url: "https://api.github.com"
          files_to_ignore: ""

Solution

Split the labeler into two workflows using the workflow_run pattern, similar to what already exists in the nf-core pipeline template (nf_core/pipeline-template/.github/workflows/linting.yml + linting_comment.yml in nf-core/tools):

Workflow 1: Trigger workflow (.github/workflows/labeler.yml)

• Triggers on pull_request
• Saves the PR number to a file and uploads it as an artifact
• This runs with the fork's read-only token, which is fine since it only needs to save the PR number

Workflow 2: Apply labels workflow (.github/workflows/labeler_apply.yml)

• Triggers on workflow_run after the trigger workflow completes
• workflow_run always runs in the context of the default branch, so it gets a full read/write GITHUB_TOKEN
• Downloads the PR number artifact from the triggering workflow
• Uses the GitHub API (or an action) to determine the PR diff size and apply the appropriate size label (size/xs, size/s, size/m, size/l, size/xl)
• Posts the "too large" warning comment if the PR exceeds 1000 lines

Important implementation details:

• The size thresholds must remain the same: xs ≤ 10, s ≤ 100, m ≤ 500, l ≤ 1000, xl > 1000
• The labels must remain the same: size/xs, size/s, size/m, size/l, size/xl
• When applying a new size label, remove any previously applied size labels first (so labels update correctly when PRs are updated)
• The XL warning message must remain the same
• The fail_if_xl behavior should remain false (don't fail the workflow for XL PRs)
• Use dawidd6/action-download-artifact for downloading artifacts from the triggering workflow (consistent with the existing pattern in nf-core/tools pipeline template)
• Use actions/upload-artifact for uploading (consistent with the existing pattern)
• Use the GitHub API via actions/github-script to calculate diff size and apply labels in the receiver workflow, since codelytv/pr-size-labeler expects to run directly on pull_request events and won't work in a workflow_run context

This pull request was created from Copilot chat.

---

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

[jfy133]

@nf-core-bot fix linting

[mashehu]

if only there would be an action that does already all this ( CodelyTV/pr-size-labeler@4ec6770 👀)

[ewels]

I assumed that it needs different inputs now? Yeah:

codelytv/pr-size-labeler is designed to run on pull_request events directly and reads the PR number from github.event.pull_request.number.

In a workflow_run context, that event payload isn't available — the event is the workflow_run object instead, so the action wouldn't know which PR to label.

[jfy133]

Yeah I commented that on Slack... but assumed htere is a reason why it couldn't just use that.

[jfy133]

Any idea what's wrong with prek @mashehu ?

[mashehu]

nothing wrong with prek. just a prettier error without auto-fix. did it manually now

[mashehu]

Suggested change

	on:
	pull_request:
	types: [opened, reopened, synchronize]
	on:
	pull_request_target:

This is actually the only thing needed to fix this, imo. Because the codelytv/pr-size-labeler doesn't need the code checked out, but only uses github API metadata, it shouldn't be a security risk