pythongh-127785: Reduce permissions in the check labels workflow (python#130596)

(cherry picked from commit 5ba69e7)

Author: shenxianpeng

.github/workflows/require-pr-label.yml

@@ -5,18 +5,57 @@ on:
     types: [opened, reopened, labeled, unlabeled, synchronize]
 
 jobs:
-  label:
-    name: DO-NOT-MERGE / unresolved review
+  label-dnm:
+    name: DO-NOT-MERGE
     if: github.repository_owner == 'python'
     runs-on: ubuntu-latest
     permissions:
-      issues: write
-      pull-requests: write
+      pull-requests: read
     timeout-minutes: 10
 
     steps:
-      - uses: mheap/github-action-required-labels@v5
+      - name: Check there's no DO-NOT-MERGE
+        uses: mheap/github-action-required-labels@v5
         with:
           mode: exactly
           count: 0
-          labels: "DO-NOT-MERGE, awaiting changes, awaiting change review"
+          labels: |
+            DO-NOT-MERGE
+
+  label-reviews:
+    name: Unresolved review
+    if: github.repository_owner == 'python'
+    runs-on: ubuntu-latest
+    permissions:
+      pull-requests: read
+    timeout-minutes: 10
+
+    steps:
+      # Check that the PR is not awaiting changes from the author due to previous review.
+      - name: Check there's no required changes
+        uses: mheap/github-action-required-labels@v5
+        with:
+          mode: exactly
+          count: 0
+          labels: |
+            awaiting changes
+            awaiting change review
+      - id: is-feature
+        name: Check whether this PR is a feature (contains a "type-feature" label)
+        uses: mheap/github-action-required-labels@v5
+        with:
+          mode: exactly
+          count: 1
+          labels: |
+            type-feature
+          exit_type: success  # don't fail the check if the PR is not a feature, just record the result
+      # In case of a feature PR, check for a complete review (contains an "awaiting merge" label).
+      - id: awaiting-merge
+        if: steps.is-feature.outputs.status == 'success'
+        name: Check for complete review
+        uses: mheap/github-action-required-labels@v5
+        with:
+          mode: exactly
+          count: 1
+          labels: |
+            awaiting merge