From 0ec580a86c9b53e5bfdcda0db49045a32ddcf727 Mon Sep 17 00:00:00 2001
From: Lianmin Zheng <lianminzheng@gmail.com>
Date: Sun, 14 Sep 2025 20:33:09 -0700
Subject: [PATCH] Fix label PR (#10445)

---
 .github/workflows/label-pr.yml | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/label-pr.yml b/.github/workflows/label-pr.yml
index cf414a441..288d040b9 100644
--- a/.github/workflows/label-pr.yml
+++ b/.github/workflows/label-pr.yml
@@ -4,9 +4,11 @@ on:
   pull_request_target:
     types: [opened, reopened]
 
-# Sets the permissions for the GITHUB_TOKEN to allow adding labels.
+# This permission is still needed for the 'check-user-permission' action,
+# which uses the default GITHUB_TOKEN to verify the actor's permissions.
 permissions:
-  pull-requests: write
+  pull-requests: read
+  members: read
 
 jobs:
   labeler:
@@ -25,6 +27,7 @@ jobs:
         if: steps.checkAccess.outputs.require-result == 'true'
         uses: actions/github-script@v7
         with:
+          token: ${{ secrets.GH_PAT_FOR_TAGGING }}
           script: |
             github.rest.issues.addLabels({
               owner: context.repo.owner,