From 2310a9eda0d43b31492f94166d83e40178599100 Mon Sep 17 00:00:00 2001
From: Erick Zhao <erick@hotmail.ca>
Date: Fri, 20 Mar 2026 15:35:18 -0700
Subject: [PATCH 1/2] ci: auto-label `next` PRs

---
 .github/labeler.yml           |  2 ++
 .github/workflows/labeler.yml | 17 +++++++++++++++++
 2 files changed, 19 insertions(+)
 create mode 100644 .github/labeler.yml
 create mode 100644 .github/workflows/labeler.yml

diff --git a/.github/labeler.yml b/.github/labeler.yml
new file mode 100644
index 0000000000..ad28327cf6
--- /dev/null
+++ b/.github/labeler.yml
@@ -0,0 +1,2 @@
+next:
+  - base-branch: 'next'
diff --git a/.github/workflows/labeler.yml b/.github/workflows/labeler.yml
new file mode 100644
index 0000000000..bdf4c9d9ff
--- /dev/null
+++ b/.github/workflows/labeler.yml
@@ -0,0 +1,17 @@
+name: PR Labeler
+
+on:
+  pull_request_target:
+    types: [opened, synchronize, reopened]
+
+permissions:
+  contents: read
+  pull-requests: write
+
+jobs:
+  label:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/labeler@634933edcd8ababfe52f92936142cc22ac488b1b # v6.0.1
+        with:
+          sync-labels: true

From a2ab02409b08899985f8ac67724746217daa1a89 Mon Sep 17 00:00:00 2001
From: Erick Zhao <erick@hotmail.ca>
Date: Fri, 20 Mar 2026 15:50:21 -0700
Subject: [PATCH 2/2] Update pull_request_target with comment for safety

Added comment to ignore dangerous triggers in pull request events.
---
 .github/workflows/labeler.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/labeler.yml b/.github/workflows/labeler.yml
index bdf4c9d9ff..15a6409caa 100644
--- a/.github/workflows/labeler.yml
+++ b/.github/workflows/labeler.yml
@@ -1,7 +1,7 @@
 name: PR Labeler
 
 on:
-  pull_request_target:
+  pull_request_target: # zizmor: ignore[dangerous-triggers]
     types: [opened, synchronize, reopened]
 
 permissions: