diff --git a/.github/workflows/_labeler.yml b/.github/workflows/_labeler.yml
new file mode 100644
index 0000000000..5beca0c9e0
--- /dev/null
+++ b/.github/workflows/_labeler.yml
@@ -0,0 +1,27 @@
+---
+
+# This workflow is not intended to be used directly.  Please
+# see `labeler.yml` comments to understand why.
+on: workflow_call
+
+jobs:
+    triage:
+      permissions:
+        contents: read
+        # **WARNING** **WARNING** **WARNING** **WARNING** **WARNING**
+        #
+        # This workflow uses pull-request --> WRITE <-- Permissions.
+        # Please carefully review any/all changes proposed below,
+        # that they do not attempt to to perform a PR merge.
+        #
+        # **WARNING** **WARNING** **WARNING** **WARNING** **WARNING**
+        pull-requests: write
+      runs-on: ubuntu-latest
+      steps:
+        # https://github.com/actions/labeler
+        - uses: actions/labeler@v4
+          # The v4 code of this action reads the glob-YAML from the triggering
+          # PR context (via the `$GITHUB_SHA` value):
+          # https://github.com/actions/labeler/blob/v4/src/labeler.ts#L119
+          with:
+            repo-token: "${{secrets.GITHUB_TOKEN}}"
diff --git a/.github/workflows/labeler.yml b/.github/workflows/labeler.yml
index 64505bbfee..d564bfd3ee 100644
--- a/.github/workflows/labeler.yml
+++ b/.github/workflows/labeler.yml
@@ -1,15 +1,25 @@
-# https://github.com/actions/labeler
 name: "Pull Request Labeler"
 on:
-- pull_request_target
+    # IMPORTANT NOTE: The actual workflow YAML used for a run may not
+    # be what you expect!  Specifically, the `pull_request_target`
+    # trigger uses the workflow YAML as-is on the `main` branch at
+    # the time.
+    - pull_request_target
 
 jobs:
-  triage:
-    permissions:
-      contents: read
-      pull-requests: write
-    runs-on: ubuntu-latest
-    steps:
-    - uses: actions/labeler@v4
-      with:
-        repo-token: "${{ secrets.GITHUB_TOKEN }}"
+    # Avoid any label-semantic conflicts between `main` and any PR's target
+    # branch, by redirecting execution to the workflow YAML as defined
+    # in the branch targeted by the PR (`github.base_ref`).  This also
+    # implies PR's cannot directly modify the workflow YAML (which has
+    # repository-write permissions) before being merged into a branch.
+    # Ref: https://docs.github.com/en/actions/using-workflows/reusing-workflows
+    triage:
+        # Note `github.base_ref` is: "The base_ref or target branch of the pull
+        # request in a workflow run. This property is only available when the
+        # event that triggers a workflow run is either pull_request or
+        # pull_request_target"
+        uses: ${{github.repository}}/.github/workflows/_labeler.yml@${{github.base_ref}}
+        secrets: inherit
+        permissions:
+            contents: read
+            pull-requests: write