ci: add automatic PR labeling based on changed files

[manzil-infinity180]

What this PR does / why we need it

Description
Adds a GitHub Actions workflow using actions/labeler@v5 to automatically label PRs based on which files are changed (e.g., documentation, attestors, signers, cli, policy, etc.)

Which issue(s) this PR fixes (optional)

(optional, using fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when the PR gets merged)*

Fixes #

Acceptance Criteria Met

• Docs changes if needed
• Testing changes if needed
• All workflow checks passing (automatically enforced)
• All review conversations resolved (automatically enforced)
• DCO Sign-off

Special notes for your reviewer:

[netlify]

✅ Deploy Preview for witness-project ready!

Name	Link
🔨 Latest commit	c71b139
🔍 Latest deploy log	https://app.netlify.com/projects/witness-project/deploys/69d3f9468302820008a46205
😎 Deploy Preview	https://deploy-preview-761--witness-project.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[kusari-inspector]

Kusari Analysis Results:

Caution

Flagged Issues Detected
These changes contain flagged issues that may introduce security risks.

The dependency analysis found no issues. However, the code analysis identified a HIGH severity concern in .github/workflows/labeler.yml: the use of the pull_request_target trigger grants base-repository-level permissions to workflows triggered from forks. Combined with the pull-requests: write permission, this creates a potential privilege escalation attack vector if any workflow step checks out or executes code from the PR branch (head ref). The full job steps were not available for review, making it impossible to confirm the workflow is safe. Action items before proceeding: (1) Confirm no actions/checkout step references the PR head sha or head ref. (2) If labeling fork PRs is not required, switch to the safer pull_request trigger. (3) If pull_request_target is intentionally used, add explicit documentation in the workflow file confirming no PR branch code is checked out or executed. The PR should be held until one of these mitigations is verified and documented.

Note

View full detailed analysis result for more information on the output and the checks that were run.

Required Code Mitigations

pull_request_target grants base-repo-level permissions to workflows triggered from forks. If the labeler only reads configuration from the base repository and never checks out or executes code from the PR branch, this can be acceptable. However, you must explicitly ensure that no actions/checkout step references the PR head ref (e.g., ref: ${{ github.event.pull_request.head.sha }}). If checkout of PR code is not needed, the current pattern may be acceptable but should be documented. If labeling fork PRs is not required, switch to the safer pull_request trigger. If pull_request_target is necessary, add a comment to document the intentional use and confirm no PR branch code is executed.

• Location: .github/workflows/labeler.yml:4

• Potential Code Fix:

on:
  pull_request_target:
    types: [opened, synchronize, reopened]
# IMPORTANT: pull_request_target is used intentionally to allow labeling fork PRs.
# This workflow MUST NOT checkout or execute any code from the PR branch (head ref).
# Ensure actions/checkout is not used with the PR head sha or head ref.

---

@kusari-inspector rerun - Trigger a re-analysis of this PR
@kusari-inspector feedback [your message] - Send feedback to our AI and team
See Kusari's documentation for setup and configuration.
Commit: c71b139, performed at: 2026-04-06T18:20:15Z

Found this helpful? Give it a 👍 or 👎 reaction!

[kusari-inspector]

Issue: pull_request_target grants base-repo-level permissions to workflows triggered from forks. If the labeler only reads configuration from the base repository and never checks out or executes code from the PR branch, this can be acceptable. However, you must explicitly ensure that no actions/checkout step references the PR head ref (e.g., ref: ${{ github.event.pull_request.head.sha }}). If checkout of PR code is not needed, the current pattern may be acceptable but should be documented. If labeling fork PRs is not required, switch to the safer pull_request trigger. If pull_request_target is necessary, add a comment to document the intentional use and confirm no PR branch code is executed.

Recommended Code Changes:

on:
  pull_request_target:
    types: [opened, synchronize, reopened]
# IMPORTANT: pull_request_target is used intentionally to allow labeling fork PRs.
# This workflow MUST NOT checkout or execute any code from the PR branch (head ref).
# Ensure actions/checkout is not used with the PR head sha or head ref.

[manzil-infinity180]

pull_request_target is used intentionally to allow labeling fork PRs 👀

[manzil-infinity180]

I noticed @matglas was adding labels like documentation and bug manually on PRs; this should help automate the file-path-based ones.

Note: The labels referenced in .github/labeler.yml need to exist in the repo settings; if any are missing, the workflow will fail. Happy to adjust the label set based on what the project already uses.