Proposed Changes:

• CI_docstring_labeler.yml workflow uses pull_request_target and deliberately checks out the fork's HEAD to compare docstring checksums.

• The recent bump of actions/checkout from v6.0.2 → v6.0.3 (commit 76f9049) introduced a new security enforcement that now blocks this unless allow-unsafe-pr-checkout: true is explicitly set.

• Why it's safe to opt in here: The workflow was already designed with this security concern in mind — the Python script is copied from the trusted base branch into $runner.temp before the fork checkout happens (step "Copy file", line 22). That script then runs on the fork's files to compute a docstring checksum. No code from the fork is ever executed; it's only read as data. No custom secrets are used either, only GITHUB_TOKEN.

How did you test it?

• CI tests

Notes for the reviewer

• This was detected through this PR error log
• More info on the checkout release notes: https://github.com/actions/checkout

Checklist

• I have read the contributors guidelines and the code of conduct
• I have updated the related issue with new insights and changes
• I added unit tests and updated the docstrings
• I've used one of the conventional commit types for my PR title: fix:, feat:, build:, chore:, ci:, docs:, style:, refactor:, perf:, test:.