ci(auto-sync): grant issues:write so gh label create works

conversun · conversun · commit 292d598ab66a · 2026-05-11T11:21:31.000+08:00
The label-management API (POST /repos/{owner}/{repo}/labels) requires
'issues: write'. When a workflow declares any explicit permissions, all
unlisted scopes default to 'none' — so the existing block silently
denied label creation. The PR-creation step then failed with
'could not add label: auto-sync not found'.

Also drop '2&gt;/dev/null' on the idempotent label-create so future
failures surface in logs instead of being swallowed.
diff --git a/.github/workflows/auto-sync-upstream.yml b/.github/workflows/auto-sync-upstream.yml
@@ -9,6 +9,7 @@ on:
 permissions:
   contents: write
   pull-requests: write
+  issues: write
   actions: write
 
 concurrency:
@@ -150,7 +151,7 @@ jobs:
           } > /tmp/pr-body.md
 
           # Idempotently ensure the label exists.
-          gh label create auto-sync --color FBCA04 --description "Automated upstream sync" 2>/dev/null || true
+          gh label create auto-sync --color FBCA04 --description "Automated upstream sync" || true
 
           EXISTING=$(gh pr list --head "${PR_BRANCH}" --base "${TARGET_BRANCH}" --state open --json number --jq '.[0].number' || true)
 
