diff --git a/.github/labeler.yml b/.github/labeler.yml
index 380ff441c04a..69cb0c51e123 100644
--- a/.github/labeler.yml
+++ b/.github/labeler.yml
@@ -10,14 +10,14 @@
   - any-glob-to-any-file:
     - '.github/workflows/*'
 
-# Add the `documentation` label to PRs that change any file in the `user_guide_src/source/` directory.
+# Add the `documentation` label to PRs for documentation only.
 'documentation':
 - changed-files:
   - any-glob-to-all-files:
-    - 'user_guide_src/source/*'
+    - 'user_guide_src/source/**'
 
-# Add the `testing` label to PRs that change files in the `tests/` directory ONLY.
+# Add the `testing` label to PRs that changes tests only.
 'testing':
 - changed-files:
   - any-glob-to-all-files:
-    - 'tests/*'
+    - 'tests/**'
diff --git a/.github/workflows/label-pr.yml b/.github/workflows/label-pr.yml
index 730c98f271c1..bc93f5e49dac 100644
--- a/.github/workflows/label-pr.yml
+++ b/.github/workflows/label-pr.yml
@@ -7,13 +7,55 @@ on:
   - pull_request_target
 
 jobs:
+  validate-source:
+    permissions:
+      contents: read
+      pull-requests: read
+    runs-on: ubuntu-24.04
+    outputs:
+      valid: ${{ steps.check.outputs.valid }}
+
+    steps:
+      - name: Check if PR is from the main repository
+        id: check
+        run: |
+          if [[ "$HEAD_REPO" == "codeigniter4/CodeIgniter4" ]]; then
+            echo "valid=true" >> $GITHUB_OUTPUT
+          else
+            echo "valid=false" >> $GITHUB_OUTPUT
+          fi
+        env:
+          HEAD_REPO: ${{ github.event.pull_request.head.repo.full_name }}
+
   add-labels:
+    needs: validate-source
     permissions:
       contents: read
       pull-requests: write
     runs-on: ubuntu-24.04
 
     steps:
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+
+      - name: Verify PR source for workflow file changes
+        run: |
+          # Get changed files in this PR
+          git fetch origin "refs/pull/${{ github.event.pull_request.number }}/merge"
+          CHANGED_FILES=$(git diff --name-only origin/develop FETCH_HEAD 2>/dev/null || echo "")
+
+          # Check if this workflow file is being modified
+          if echo "$CHANGED_FILES" | grep -q "\.github/workflows/label-pr\.yml"; then
+            if [[ "$IS_VALID" != "true" ]]; then
+              echo "::error::Changes to label-pr.yml can only be made from the main repository."
+              exit 1
+            fi
+          fi
+        env:
+          IS_VALID: ${{ needs.validate-source.outputs.valid }}
+
       - name: Add labels
         uses: actions/labeler@634933edcd8ababfe52f92936142cc22ac488b1b # v6.0.1
         with: