WeblateOrg · nijel · May 15, 2026 · May 15, 2026
diff --git a/.github/workflows/closing.yml b/.github/workflows/closing.yml
@@ -17,8 +17,9 @@ permissions:
   contents: read
 
 jobs:
-  issueClosed:
+  issue-closed:
     permissions:
+      contents: read  # for actions/checkout
       issues: write  # for gh issue comment
     runs-on: ubuntu-slim
     steps:

diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml
@@ -15,8 +15,8 @@ jobs:
     runs-on: ubuntu-slim
     steps:
     - name: Checkout Repository
-      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd   # v6.0.2
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       with:
         persist-credentials: false
     - name: Dependency Review
-      uses: actions/dependency-review-action@a1d282b36b6f3519aa1f3fc636f609c47dddb294   # v5.0.0
+      uses: actions/dependency-review-action@a1d282b36b6f3519aa1f3fc636f609c47dddb294 # v5.0.0
diff --git a/.github/workflows/labels.yml b/.github/workflows/labels.yml
@@ -9,20 +9,20 @@ on:
   issues:
     types: [labeled]
 
-permissions:
-  contents: read
+permissions: {}
 
 jobs:
-  issueLabeled:
+  issue-labeled:
+    if: ${{ ! github.event.issue.pull_request && github.event.label.name == 'good first issue' }}
     permissions:
+      contents: read  # for actions/checkout
       issues: write  # for gh issue comment
     runs-on: ubuntu-slim
     steps:
     - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       with:
         persist-credentials: false
     - name: Add good first issue comment
-      if: ${{ github.event.label.name == 'good first issue' }}
       env:
         GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         ISSUE_NUMBER: ${{ github.event.issue.number }}

diff --git a/.github/workflows/pre-commit.yml b/.github/workflows/pre-commit.yml
@@ -8,6 +8,8 @@ name: Pre-commit check
 on:
   push:
     branches-ignore:
+    - copilot/**
+    - codex/**
     - renovate/**
     - weblate
     - dependabot/**
@@ -21,7 +23,7 @@ jobs:
     runs-on: ubuntu-24.04-arm
 
     steps:
-    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd   # v6.0.2
+    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       with:
         persist-credentials: false
     - uses: ./.github/actions/pre-commit-setup

diff --git a/.github/workflows/pull_requests.yaml b/.github/workflows/pull_requests.yaml
@@ -3,25 +3,20 @@
 # SPDX-License-Identifier: CC0-1.0
 
 # This file is maintained in https://github.com/WeblateOrg/meta/
-
 name: Pull request automation
 
 on: # zizmor: ignore[dangerous-triggers]
   pull_request_target:
     types: opened
 
-permissions:
-  contents: read
+permissions: {}
 
 jobs:
-  weblate_automerge:
+  weblate-automerge:
     runs-on: ubuntu-slim
     name: Weblate automerge
     if: github.actor == 'weblate'
     steps:
-    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-      with:
-        persist-credentials: false
     - name: Enable Pull Request Automerge
       run: gh pr merge --rebase --auto "$PR_NUMBER"
       env: