Fix label-check and auto-assign on fork PRs

[bharvey88]

Version: N/A (workflows only, does not publish)

What does this implement/fix?

Fixes the Label Check and Auto Assign failures on fork-submitted PRs (seen on the CO2 auto calibration PR).

Workflows triggered by pull_request from a fork run with a read-only token, so actions-ecosystem/action-add-labels and pozil/auto-assign-issue fail with 403 Resource not accessible by integration. Moving those two jobs to pull_request_target runs them in the base repo's context with a write token.

• Label Check moves out of ci.yml into its own label-check.yml on pull_request_target (with edited in the trigger types, so fixing a checkbox re-runs the check). The firmware build jobs stay on pull_request, since they compile PR-controlled YAML and must never get a write token.
• autoassign.yml switches its PR trigger to pull_request_target (issues trigger unchanged).
• ci.yml permissions are trimmed to what the build jobs need.

This is safe because neither moved job checks out or executes PR code. Depends on ApolloAutomation/Workflows#24, which hardens the reusable label-check against script injection from the PR body; that PR should merge first.

Same fix is going to AIR-1, MSR-2, MTR-1, and R_PRO-1.

Types of changes

• Bugfix (fixed change that fixes an issue)
• New feature (thanks!)
• Breaking change (repair/feature that breaks existing functionality)
• Dependency Update - Does not publish
• Other - Does not publish
• Website of github readme file update - Does not publish
• Github workflows - Does not publish

Checklist / Checklijst:

• The code change has been tested and works locally
• The code change has not yet been tested

If user-visible functionality or configuration variables are added/modified:

• Added/updated documentation for the web page

🤖 Generated with Claude Code

[coderabbitai]

Warning

Review limit reached

@bharvey88, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 12 minutes and 17 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 8a5852cf-e0bf-4a20-b09f-56d03ed0ea19

📥 Commits

Reviewing files that changed from the base of the PR and between e4c7f95 and 681a5af.

📒 Files selected for processing (3)

• .github/workflows/autoassign.yml
• .github/workflows/ci.yml
• .github/workflows/label-check.yml

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix-fork-pr-workflows

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}