From b7bee4ef73b33c4e8357b18f8d971c7186cbad19 Mon Sep 17 00:00:00 2001
From: Jon Church <me@jonchurch.com>
Date: Sat, 2 Nov 2024 16:49:38 -0400
Subject: [PATCH 1/3] create adr-labeler workflow

---
 .github/workflows/adr-labeler.yml | 25 +++++++++++++++++++++++++
 1 file changed, 25 insertions(+)
 create mode 100644 .github/workflows/adr-labeler.yml

diff --git a/.github/workflows/adr-labeler.yml b/.github/workflows/adr-labeler.yml
new file mode 100644
index 0000000..b8773f6
--- /dev/null
+++ b/.github/workflows/adr-labeler.yml
@@ -0,0 +1,25 @@
+name: ADR Labeler
+
+on:
+  pull_request:
+    types: [opened, synchronize]
+    paths:
+      - 'docs/adr/**'
+
+jobs:
+  label-adr:
+    runs-on: ubuntu-latest
+    permissions:
+      pull-requests: write
+    
+    steps:
+      - uses: actions/github-script@v7
+        with:
+          script: |
+            # Adding ADR label - if it already exists, this is a no-op
+            github.rest.issues.addLabels({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              issue_number: context.issue.number,
+              labels: ['ADR']
+            })

From 1d41254d03a7361a25e59929d88bccc0c662d3c0 Mon Sep 17 00:00:00 2001
From: Jon Church <me@jonchurch.com>
Date: Wed, 6 Nov 2024 09:20:47 -0500
Subject: [PATCH 2/3] alter on: to ensure PRs from forks get upstream
 permissions

this should allow the default token to have enough perms to label
issues, even if the PR is coming from a fork.
---
 .github/workflows/adr-labeler.yml | 8 +++-----
 1 file changed, 3 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/adr-labeler.yml b/.github/workflows/adr-labeler.yml
index b8773f6..a00623e 100644
--- a/.github/workflows/adr-labeler.yml
+++ b/.github/workflows/adr-labeler.yml
@@ -1,7 +1,7 @@
 name: ADR Labeler
 
 on:
-  pull_request:
+  pull_request_target:
     types: [opened, synchronize]
     paths:
       - 'docs/adr/**'
@@ -9,14 +9,12 @@ on:
 jobs:
   label-adr:
     runs-on: ubuntu-latest
-    permissions:
-      pull-requests: write
-    
+
     steps:
       - uses: actions/github-script@v7
         with:
           script: |
-            # Adding ADR label - if it already exists, this is a no-op
+            // Adding ADR label - if it already exists, this is a no-op
             github.rest.issues.addLabels({
               owner: context.repo.owner,
               repo: context.repo.repo,

From b8896c226092897331122defecf6e9682fa4b7eb Mon Sep 17 00:00:00 2001
From: Jon Church <me@jonchurch.com>
Date: Wed, 6 Nov 2024 09:53:29 -0500
Subject: [PATCH 3/3] switch back to pull_request trigger for security, add
 comment

---
 .github/workflows/adr-labeler.yml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/adr-labeler.yml b/.github/workflows/adr-labeler.yml
index a00623e..2b68be8 100644
--- a/.github/workflows/adr-labeler.yml
+++ b/.github/workflows/adr-labeler.yml
@@ -1,7 +1,8 @@
 name: ADR Labeler
 
 on:
-  pull_request_target:
+  # PRs coming from forks will not have the write permissions required to run this action
+  pull_request:
     types: [opened, synchronize]
     paths:
       - 'docs/adr/**'