fix(ci): restore pull-requests:write for PR label/comment writes (#3367)

#3336 reduced the PR-checks workflow to pull-requests:read on the
assumption that PR labels/comments only need issues:write (the REST path
is /issues/{n}/...). They do not: modifying a pull request's labels or
comments requires the pull-requests scope, so issues:write alone returns
403 and crashed the description check on every PR. Restore
pull-requests:write, and fail soft in swapLabel so a label-permission
error can never mask the description verdict.

.github/scripts/check-pr-description.js

@@ -103,14 +103,21 @@ module.exports = async ({ github, context, core }) => {
 
   async function swapLabel(num, add, remove) {
     if (await labelExists(add)) {
-      await github.rest.issues.addLabels({ owner, repo, issue_number: num, labels: [add] });
+      try {
+        await github.rest.issues.addLabels({ owner, repo, issue_number: num, labels: [add] });
+      } catch (e) {
+        // Fail soft on a token that can't write labels so a label permission
+        // problem never masks the actual description verdict.
+        if (e.status !== 403) throw e;
+        core.warning(`Could not add "${add}" — token lacks label write here; skipping.`);
+      }
     } else {
       core.warning(`Label "${add}" does not exist in the repo — skipping. Create it once to enable labelling.`);
     }
     try {
       await github.rest.issues.removeLabel({ owner, repo, issue_number: num, name: remove });
     } catch (e) {
-      if (e.status !== 404 && e.status !== 410) throw e;
+      if (e.status !== 404 && e.status !== 410 && e.status !== 403) throw e;
     }
   }