fix: Move PR size labeler to dedicated workflow

[osterman]

what

• Created new .github/workflows/pr-size-labeler.yml workflow using pull_request_target event
• Moved pr-size-labeler job from codeql.yml to dedicated workflow
• Workflow now has elevated permissions to label PRs from forks

why

The PR size labeler was failing with 403 Resource not accessible by integration for PRs from forks because pull_request event runs with read-only permissions for non-member contributors. Using pull_request_target runs the workflow in the base repository context with write permissions, while remaining safe because we only use the GitHub API to read file metadata.

references

Fixes #1814

Summary by CodeRabbit

• Chores
  • Moved PR size labeling out of the security workflow into a dedicated PR Size Labeler workflow to improve maintainability and separation of concerns.
  • Restored equivalent PR size labeling behavior in the new workflow while removing the embedded job from the original workflow file.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[mergify]

Important

Cloud Posse Engineering Team Review Required

This pull request modifies files that require Cloud Posse's review. Please be patient, and a core maintainer will review your changes.

To expedite this process, reach out to us on Slack in the #pr-reviews channel.

[github-actions]

Dependency Review

✅ No vulnerabilities or license issues found.

Scanned Files

• .github/workflows/pr-size-labeler.yml

[coderabbitai]

📝 Walkthrough

Walkthrough

Removed the embedded pr-size-labeler job from the CodeQL workflow and added a new standalone workflow .github/workflows/pr-size-labeler.yml that labels PR sizes using the repository's local pr-sizer action, triggered on pull_request_target events.

Changes

Cohort / File(s)	Summary
CodeQL workflow update \.github/workflows/codeql.yml	Deleted the top-level pr-size-labeler job (its permissions, pull_request trigger, checkout step, and PR Size Labeler action with all size/ignore configuration).
New standalone workflow \.github/workflows/pr-size-labeler.yml	Added a dedicated PR Size Labeler workflow triggered on pull_request_target (opened, synchronize, reopened). Checks out the base branch and runs the local pr-sizer action with configured labels, size thresholds, ignore patterns, and deletion-handling flags.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

• Verify the new workflow preserves original label thresholds and ignore patterns.
• Confirm use of pull_request_target and base-branch checkout is intentional and safe for the repository's security model.
• Ensure required permissions (read contents; write pull-requests/issues) are correct and minimal.

Possibly related PRs

• fix: resolve Docker Hub rate limit issues in GitHub Actions #1511 — Adds the ./.github/actions/pr-sizer action referenced by the new workflow.
• Implement PR Size Labeler #1098 — Previously added a pr-size-labeler job to codeql.yml (touches the same automation being moved/removed).
• Use official golangci action together with CodeQL #1137 — Also modified the pr-size-labeler job in codeql.yml, likely related to prior workflow adjustments.

Suggested reviewers

• aknysh

Pre-merge checks and finishing touches

❌ Failed checks (2 warnings)

Check name	Status	Explanation	Resolution
Linked Issues check	⚠️ Warning	The PR objectives focus on workflow configuration changes, but the linked issue #1814 addresses store implementation changes for exact key matching. The changes do not align with the issue's coding requirements.	The PR should either address the store prefix logic changes from issue #1814, or be linked to a different issue that covers GitHub Actions workflow reorganization.
Out of Scope Changes check	⚠️ Warning	Changes to GitHub Actions workflows are out of scope relative to issue #1814, which requires modifications to store implementations and their tests.	Either relink to an appropriate workflow-related issue or include the actual store implementation changes required by issue #1814.

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The PR title clearly describes the main change: moving the PR size labeler from the CodeQL workflow to a dedicated workflow file.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch osterman/fix-pr-sizer-fork-perms

---

📜 Recent review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 285d472 and 4285a3e.

📒 Files selected for processing (1)

• .github/workflows/pr-size-labeler.yml (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• .github/workflows/pr-size-labeler.yml

⏰ Context from checks skipped due to timeout of 900000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: Summary

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 72.00%. Comparing base (6e39488) to head (4285a3e).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #1816      +/-   ##
==========================================
+ Coverage   71.98%   72.00%   +0.01%     
==========================================
  Files         471      471              
  Lines       45222    45222              
==========================================
+ Hits        32555    32560       +5     
+ Misses      10071    10066       -5     
  Partials     2596     2596              

Flag	Coverage Δ
unittests	72.00% <ø> (+0.01%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.
see 3 files with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.