Fix label-check and auto-assign on fork PRs

[bharvey88]

Version: N/A (workflows only, does not publish)

What does this implement/fix?

Fixes the Label Check and Auto Assign failures on fork-submitted PRs (seen on the CO2 auto calibration PR).

Workflows triggered by pull_request from a fork run with a read-only token, so actions-ecosystem/action-add-labels and pozil/auto-assign-issue fail with 403 Resource not accessible by integration. Moving those two jobs to pull_request_target runs them in the base repo's context with a write token.

• Label Check moves out of ci.yml into its own label-check.yml on pull_request_target (with edited in the trigger types, so fixing a checkbox re-runs the check). The firmware build jobs stay on pull_request, since they compile PR-controlled YAML and must never get a write token.
• autoassign.yml switches its PR trigger to pull_request_target (issues trigger unchanged).
• ci.yml permissions are trimmed to what the build jobs need.

This is safe because neither moved job checks out or executes PR code. Depends on ApolloAutomation/Workflows#24, which hardens the reusable label-check against script injection from the PR body; that PR should merge first.

Same fix is rolling out to every device repo with these workflows: AIR-1, MSR-2, MTR-1, R_PRO-1, PLT-1, TEMP-1, BTN-1, H-1, H-2, MSR-1, and PUMP-1.

Types of changes

• Bugfix (fixed change that fixes an issue)
• New feature (thanks!)
• Breaking change (repair/feature that breaks existing functionality)
• Dependency Update - Does not publish
• Other - Does not publish
• Website of github readme file update - Does not publish
• Github workflows - Does not publish

Checklist / Checklijst:

• The code change has been tested and works locally
• The code change has not yet been tested

If user-visible functionality or configuration variables are added/modified:

• Added/updated documentation for the web page

🤖 Generated with Claude Code

[coderabbitai]

Warning

Review limit reached

@bharvey88, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 6 minutes and 40 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 1e95694a-fa67-4e19-bc68-2e0c455d37ba

📥 Commits

Reviewing files that changed from the base of the PR and between 55b820e and 90a6706.

📒 Files selected for processing (3)

• .github/workflows/autoassign.yml
• .github/workflows/ci.yml
• .github/workflows/label-check.yml

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix-fork-pr-workflows

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}