name: "Pull Request Labeler"
on:
  pull_request_target:
    types: [opened, reopened]

permissions:
  contents: read

jobs:
  labeler:
    permissions:
      pull-requests: write # Labeler needs to be able to add labels to PRs.
    runs-on: ubuntu-latest
    steps:
    - name: Harden Runner
      uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
      with:
        egress-policy: audit

    - uses: actions/labeler@8558fd74291d67161a8a78ce36a881fa63b766a9 # v5.0.0
      env:
        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}