From f0f29d00c62c652f07dce99d4a497b9900d052af Mon Sep 17 00:00:00 2001
From: shenxianpeng <xianpeng.shen@gmail.com>
Date: Thu, 27 Feb 2025 04:47:41 +0800
Subject: [PATCH] gh-127785: Reduce permissions in the `check labels` workflow
 (#130596)

(cherry picked from commit 5ba69e747fa9da984a307b2cbc9f82bac1e0db04)
---
 .github/workflows/require-pr-label.yml | 51 +++++++++++++++++++++++---
 1 file changed, 45 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/require-pr-label.yml b/.github/workflows/require-pr-label.yml
index ee91e2a39a198d..7e534c58c798d1 100644
--- a/.github/workflows/require-pr-label.yml
+++ b/.github/workflows/require-pr-label.yml
@@ -5,18 +5,57 @@ on:
     types: [opened, reopened, labeled, unlabeled, synchronize]
 
 jobs:
-  label:
-    name: DO-NOT-MERGE / unresolved review
+  label-dnm:
+    name: DO-NOT-MERGE
     if: github.repository_owner == 'python'
     runs-on: ubuntu-latest
     permissions:
-      issues: write
-      pull-requests: write
+      pull-requests: read
     timeout-minutes: 10
 
     steps:
-      - uses: mheap/github-action-required-labels@v5
+      - name: Check there's no DO-NOT-MERGE
+        uses: mheap/github-action-required-labels@v5
         with:
           mode: exactly
           count: 0
-          labels: "DO-NOT-MERGE, awaiting changes, awaiting change review"
+          labels: |
+            DO-NOT-MERGE
+
+  label-reviews:
+    name: Unresolved review
+    if: github.repository_owner == 'python'
+    runs-on: ubuntu-latest
+    permissions:
+      pull-requests: read
+    timeout-minutes: 10
+
+    steps:
+      # Check that the PR is not awaiting changes from the author due to previous review.
+      - name: Check there's no required changes
+        uses: mheap/github-action-required-labels@v5
+        with:
+          mode: exactly
+          count: 0
+          labels: |
+            awaiting changes
+            awaiting change review
+      - id: is-feature
+        name: Check whether this PR is a feature (contains a "type-feature" label)
+        uses: mheap/github-action-required-labels@v5
+        with:
+          mode: exactly
+          count: 1
+          labels: |
+            type-feature
+          exit_type: success  # don't fail the check if the PR is not a feature, just record the result
+      # In case of a feature PR, check for a complete review (contains an "awaiting merge" label).
+      - id: awaiting-merge
+        if: steps.is-feature.outputs.status == 'success'
+        name: Check for complete review
+        uses: mheap/github-action-required-labels@v5
+        with:
+          mode: exactly
+          count: 1
+          labels: |
+            awaiting merge