chore: Update GitHub Actions workflows to use fallback token and add permissions

[sachin-spotdraft]

User description

• Modified workflows to use a fallback for the GitHub token, allowing for better access management.
• Added necessary permissions for write access to contents and issues in relevant workflows.

---

Generated description

Below is a concise technical summary of the changes proposed in this PR:
Adjust the cherrypick, create-release, and promote-to-prod workflows to rely on a fallback token and explicit contents permissions so the tag and checkout steps keep working when the bot PAT is unavailable. Ensure the labeler, remove-labels, and stale jobs request issues/pull-requests permissions and mirror that fallback so automation can run without the dedicated secret.

Topic	Details
Release tagging	Adjust cherrypick, create-release, and promote-to-prod flows to request contents write and fall back to github.token for checkout and tagging, keeping tag pushes stable even when GH_BOT_PAT is unavailable. Modified files (3) .github/workflows/cherrypick.yaml .github/workflows/create-release.yaml .github/workflows/promote-to-prod.yaml Latest Contributors(1) User Commit Date sachin.rathod@spotdraf... Cicd (#22) February 04, 2026
Label automation	Update PR labeler, remove-labels, and stale jobs to request the necessary issues/pull-requests permissions and reuse the github.token fallback so labeling automation keeps working without the bot PAT. Modified files (3) .github/workflows/pr-labeler.yaml .github/workflows/remove-label.yaml .github/workflows/stale-pr-labeler.yaml Latest Contributors(1) User Commit Date sachin.rathod@spotdraf... cicd (#21) February 04, 2026

This pull request is reviewed by Baz. Review like a pro on (Baz).

[baz-reviewer]

GITHUB_TOKEN: ${{ secrets.GH_BOT_PAT || github.token }} falls back to read-only github.token on fork PRs and permissions lacks pull-requests: write — should we require the PAT, add pull-requests: write, and guard fork PRs with an if condition?

_{Finding types: Logical Bugs | Severity: 🔴 High}

---

Want Baz to fix this for you? Activate Fixer

Prompt for AI Agents:

Before applying, verify this suggestion against the current code. In
.github/workflows/pr-labeler.yaml around lines 4-16, the autolabeler job currently falls
back to GITHUB_TOKEN: ${{ secrets.GH_BOT_PAT || github.token }} which is read-only for
forked PRs and the permissions block sets pull-requests: read instead of pull-requests:
write. Change the job to: (1) update the permissions block to include both issues: write
and pull-requests: write so the codelytv/pr-size-labeler action can modify PR labels,
(2) remove the github.token fallback and require GITHUB_TOKEN: ${{ secrets.GH_BOT_PAT }}
or alternatively switch to the pull_request_target event with the PAT, and (3) add an if
condition to the labeling step so it only runs when either the PR is not from a fork
(github.event.pull_request.head.repo.fork == false) or when secrets.GH_BOT_PAT is
present. Optionally add a debug/log step that warns and skips labeling when neither
condition is met.