From f0f29d00c62c652f07dce99d4a497b9900d052af Mon Sep 17 00:00:00 2001
From: shenxianpeng <xianpeng.shen@gmail.com>
Date: Thu, 27 Feb 2025 04:47:41 +0800
Subject: [PATCH 1/3] gh-127785: Reduce permissions in the `check labels`
 workflow (#130596)

(cherry picked from commit 5ba69e747fa9da984a307b2cbc9f82bac1e0db04)
---
 .github/workflows/require-pr-label.yml | 51 +++++++++++++++++++++++---
 1 file changed, 45 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/require-pr-label.yml b/.github/workflows/require-pr-label.yml
index ee91e2a39a198d..7e534c58c798d1 100644
--- a/.github/workflows/require-pr-label.yml
+++ b/.github/workflows/require-pr-label.yml
@@ -5,18 +5,57 @@ on:
     types: [opened, reopened, labeled, unlabeled, synchronize]
 
 jobs:
-  label:
-    name: DO-NOT-MERGE / unresolved review
+  label-dnm:
+    name: DO-NOT-MERGE
     if: github.repository_owner == 'python'
     runs-on: ubuntu-latest
     permissions:
-      issues: write
-      pull-requests: write
+      pull-requests: read
     timeout-minutes: 10
 
     steps:
-      - uses: mheap/github-action-required-labels@v5
+      - name: Check there's no DO-NOT-MERGE
+        uses: mheap/github-action-required-labels@v5
         with:
           mode: exactly
           count: 0
-          labels: "DO-NOT-MERGE, awaiting changes, awaiting change review"
+          labels: |
+            DO-NOT-MERGE
+
+  label-reviews:
+    name: Unresolved review
+    if: github.repository_owner == 'python'
+    runs-on: ubuntu-latest
+    permissions:
+      pull-requests: read
+    timeout-minutes: 10
+
+    steps:
+      # Check that the PR is not awaiting changes from the author due to previous review.
+      - name: Check there's no required changes
+        uses: mheap/github-action-required-labels@v5
+        with:
+          mode: exactly
+          count: 0
+          labels: |
+            awaiting changes
+            awaiting change review
+      - id: is-feature
+        name: Check whether this PR is a feature (contains a "type-feature" label)
+        uses: mheap/github-action-required-labels@v5
+        with:
+          mode: exactly
+          count: 1
+          labels: |
+            type-feature
+          exit_type: success  # don't fail the check if the PR is not a feature, just record the result
+      # In case of a feature PR, check for a complete review (contains an "awaiting merge" label).
+      - id: awaiting-merge
+        if: steps.is-feature.outputs.status == 'success'
+        name: Check for complete review
+        uses: mheap/github-action-required-labels@v5
+        with:
+          mode: exactly
+          count: 1
+          labels: |
+            awaiting merge

From 3fc7f04682d99f3bd2a76bd8f1abb9dc8c39549e Mon Sep 17 00:00:00 2001
From: shenxianpeng <xianpeng.shen@gmail.com>
Date: Thu, 27 Feb 2025 18:19:04 +0800
Subject: [PATCH 2/3] Apply suggestions from code review

Co-authored-by: Adam Turner <9087854+AA-Turner@users.noreply.github.com>
---
 .github/workflows/require-pr-label.yml | 19 -------------------
 1 file changed, 19 deletions(-)

diff --git a/.github/workflows/require-pr-label.yml b/.github/workflows/require-pr-label.yml
index 7e534c58c798d1..88e391bc1b76ea 100644
--- a/.github/workflows/require-pr-label.yml
+++ b/.github/workflows/require-pr-label.yml
@@ -40,22 +40,3 @@ jobs:
           labels: |
             awaiting changes
             awaiting change review
-      - id: is-feature
-        name: Check whether this PR is a feature (contains a "type-feature" label)
-        uses: mheap/github-action-required-labels@v5
-        with:
-          mode: exactly
-          count: 1
-          labels: |
-            type-feature
-          exit_type: success  # don't fail the check if the PR is not a feature, just record the result
-      # In case of a feature PR, check for a complete review (contains an "awaiting merge" label).
-      - id: awaiting-merge
-        if: steps.is-feature.outputs.status == 'success'
-        name: Check for complete review
-        uses: mheap/github-action-required-labels@v5
-        with:
-          mode: exactly
-          count: 1
-          labels: |
-            awaiting merge

From f45988422d21687794815d98423f2afd23574834 Mon Sep 17 00:00:00 2001
From: shenxianpeng <xianpeng.shen@gmail.com>
Date: Thu, 27 Feb 2025 14:30:45 +0000
Subject: [PATCH 3/3] fixup! Apply suggestions from code review

---
 .github/workflows/require-pr-label.yml | 29 ++++----------------------
 1 file changed, 4 insertions(+), 25 deletions(-)

diff --git a/.github/workflows/require-pr-label.yml b/.github/workflows/require-pr-label.yml
index 88e391bc1b76ea..d7c2580d4e0808 100644
--- a/.github/workflows/require-pr-label.yml
+++ b/.github/workflows/require-pr-label.yml
@@ -5,8 +5,8 @@ on:
     types: [opened, reopened, labeled, unlabeled, synchronize]
 
 jobs:
-  label-dnm:
-    name: DO-NOT-MERGE
+  label:
+    name: DO-NOT-MERGE / unresolved review
     if: github.repository_owner == 'python'
     runs-on: ubuntu-latest
     permissions:
@@ -14,29 +14,8 @@ jobs:
     timeout-minutes: 10
 
     steps:
-      - name: Check there's no DO-NOT-MERGE
-        uses: mheap/github-action-required-labels@v5
+      - uses: mheap/github-action-required-labels@v5
         with:
           mode: exactly
           count: 0
-          labels: |
-            DO-NOT-MERGE
-
-  label-reviews:
-    name: Unresolved review
-    if: github.repository_owner == 'python'
-    runs-on: ubuntu-latest
-    permissions:
-      pull-requests: read
-    timeout-minutes: 10
-
-    steps:
-      # Check that the PR is not awaiting changes from the author due to previous review.
-      - name: Check there's no required changes
-        uses: mheap/github-action-required-labels@v5
-        with:
-          mode: exactly
-          count: 0
-          labels: |
-            awaiting changes
-            awaiting change review
+          labels: "DO-NOT-MERGE, awaiting changes, awaiting change review"