First, I would like to give a huge thank you for delivering this feature.
However, it seems potentially dangerous as the usual process for CI is checking out the PR repo and the token has unlimited write access to the repo.
It’d be nice to limit the scope of the token to the PR triggered the event. In other words, the token should only be able to label, annotate, comment on or assign someone of that PR, and add a status or check to commits of that PR.
Until then, I think the documentation should warn against checking out and running code from public forks.