From cb1f752b324977f1e5710c32138741e92614191a Mon Sep 17 00:00:00 2001
From: PastaClaw <thepastaclaw@users.noreply.github.com>
Date: Sun, 14 Jun 2026 00:49:42 -0500
Subject: [PATCH] ci: allow ready-for-review workflow to edit labels

---
 .github/workflows/ready-for-review.yml | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/ready-for-review.yml b/.github/workflows/ready-for-review.yml
index ab848dfeb..b671c6f16 100644
--- a/.github/workflows/ready-for-review.yml
+++ b/.github/workflows/ready-for-review.yml
@@ -14,14 +14,15 @@ concurrency:
   cancel-in-progress: true
 
 permissions:
-  pull-requests: write
-  checks: read
+  contents: read
 
 jobs:
   # Ensure all pull_request-triggered workflows are monitored by workflow_run
   validate-triggers:
     runs-on: ubuntu-latest
     if: github.event_name == 'workflow_run'
+    permissions:
+      contents: read
     steps:
       - uses: actions/checkout@v4
         with:
@@ -73,6 +74,11 @@ jobs:
 
   evaluate:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
+      issues: write
+      checks: read
     # Skip non-CodeRabbit reviews
     if: >-
       github.event_name != 'pull_request_review' ||
@@ -154,7 +160,7 @@ jobs:
             echo "CI status: $CI_STATUS"
             if [ "$CI_STATUS" = "all_passed" ]; then
               echo "All conditions met. Adding ready-for-review label."
-              gh pr edit "$PR_NUMBER" --repo "$REPO" --add-label "ready-for-review"
+              gh pr edit "$PR_NUMBER" --repo "$REPO" --add-label "ready-for-review" || true
             else
               echo "CI checks not all passing ($CI_STATUS). Removing label if present."
               gh pr edit "$PR_NUMBER" --repo "$REPO" --remove-label "ready-for-review" || true