From d5467e3be3063a0748511a1741388d62b4254e5c Mon Sep 17 00:00:00 2001
From: Seth Parker <csparker247@gmail.com>
Date: Thu, 11 Jun 2026 14:06:14 -0400
Subject: [PATCH] auto-label: use PAT so labeled event triggers publish.yml

GitHub's recursion guard: a label applied with the default GITHUB_TOKEN
does not fire downstream workflows. publish.yml listens on
pull_request_target.labeled, so without a PAT the chain stalls after
auto-label.

Reuses the existing BUMP_PR_PAT secret.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
---
 .github/workflows/auto-label.yml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/.github/workflows/auto-label.yml b/.github/workflows/auto-label.yml
index 04f0f0c..08d1477 100644
--- a/.github/workflows/auto-label.yml
+++ b/.github/workflows/auto-label.yml
@@ -19,6 +19,10 @@ jobs:
       - name: Add pr-pull label to passing bumper PRs
         uses: actions/github-script@v7
         with:
+          # GITHUB_TOKEN-applied labels do NOT trigger downstream
+          # workflows (GitHub's recursion guard). Use a PAT so the
+          # `labeled` event reaches publish.yml.
+          github-token: ${{ secrets.BUMP_PR_PAT }}
           script: |
             const run = context.payload.workflow_run;
             const prs = run.pull_requests || [];