diff --git a/.github/workflows/refiner.lock.yml b/.github/workflows/refiner.lock.yml
index 92a002c6b0..eb410e58be 100644
--- a/.github/workflows/refiner.lock.yml
+++ b/.github/workflows/refiner.lock.yml
@@ -30,8 +30,8 @@
 name: "Code Refiner"
 "on":
   pull_request:
-    names:
-    - refine
+    # names: # Label filtering applied via job conditions
+    # - refine # Label filtering applied via job conditions
     types:
     - labeled
   workflow_dispatch:
@@ -53,7 +53,8 @@ jobs:
   activation:
     needs: pre_activation
     if: >
-      (needs.pre_activation.outputs.activated == 'true') && ((github.event_name != 'pull_request') || (github.event.pull_request.head.repo.id == github.repository_id))
+      (needs.pre_activation.outputs.activated == 'true') && (((github.event_name != 'pull_request') || (github.event.pull_request.head.repo.id == github.repository_id)) &&
+      ((github.event_name != 'pull_request') || ((github.event.action != 'labeled') || (github.event.label.name == 'refine'))))
     runs-on: ubuntu-slim
     permissions:
       contents: read
@@ -1042,7 +1043,9 @@ jobs:
           if-no-files-found: ignore
 
   pre_activation:
-    if: (github.event_name != 'pull_request') || (github.event.pull_request.head.repo.id == github.repository_id)
+    if: >
+      ((github.event_name != 'pull_request') || (github.event.pull_request.head.repo.id == github.repository_id)) &&
+      ((github.event_name != 'pull_request') || ((github.event.action != 'labeled') || (github.event.label.name == 'refine')))
     runs-on: ubuntu-slim
     permissions:
       contents: read
diff --git a/docs/src/content/docs/agent-factory-status.mdx b/docs/src/content/docs/agent-factory-status.mdx
index 0b913cf48b..157f8e6b93 100644
--- a/docs/src/content/docs/agent-factory-status.mdx
+++ b/docs/src/content/docs/agent-factory-status.mdx
@@ -32,6 +32,7 @@ These are experimental agentic workflows used by the GitHub Next team to learn,
 | [Claude Code User Documentation Review](https://github.com/github/gh-aw/blob/main/.github/workflows/claude-code-user-docs-review.md) | claude | [![Claude Code User Documentation Review](https://github.com/github/gh-aw/actions/workflows/claude-code-user-docs-review.lock.yml/badge.svg)](https://github.com/github/gh-aw/actions/workflows/claude-code-user-docs-review.lock.yml) | - | - |
 | [CLI Consistency Checker](https://github.com/github/gh-aw/blob/main/.github/workflows/cli-consistency-checker.md) | copilot | [![CLI Consistency Checker](https://github.com/github/gh-aw/actions/workflows/cli-consistency-checker.lock.yml/badge.svg)](https://github.com/github/gh-aw/actions/workflows/cli-consistency-checker.lock.yml) | `0 13 * * 1-5` | - |
 | [CLI Version Checker](https://github.com/github/gh-aw/blob/main/.github/workflows/cli-version-checker.md) | claude | [![CLI Version Checker](https://github.com/github/gh-aw/actions/workflows/cli-version-checker.lock.yml/badge.svg)](https://github.com/github/gh-aw/actions/workflows/cli-version-checker.lock.yml) | - | - |
+| [Code Refiner](https://github.com/github/gh-aw/blob/main/.github/workflows/refiner.md) | copilot | [![Code Refiner](https://github.com/github/gh-aw/actions/workflows/refiner.lock.yml/badge.svg)](https://github.com/github/gh-aw/actions/workflows/refiner.lock.yml) | - | - |
 | [Code Scanning Fixer](https://github.com/github/gh-aw/blob/main/.github/workflows/code-scanning-fixer.md) | copilot | [![Code Scanning Fixer](https://github.com/github/gh-aw/actions/workflows/code-scanning-fixer.lock.yml/badge.svg)](https://github.com/github/gh-aw/actions/workflows/code-scanning-fixer.lock.yml) | - | - |
 | [Code Simplifier](https://github.com/github/gh-aw/blob/main/.github/workflows/code-simplifier.md) | copilot | [![Code Simplifier](https://github.com/github/gh-aw/actions/workflows/code-simplifier.lock.yml/badge.svg)](https://github.com/github/gh-aw/actions/workflows/code-simplifier.lock.yml) | - | - |
 | [Codex GitHub Remote MCP Test](https://github.com/github/gh-aw/blob/main/.github/workflows/codex-github-remote-mcp-test.md) | codex | [![Codex GitHub Remote MCP Test](https://github.com/github/gh-aw/actions/workflows/codex-github-remote-mcp-test.lock.yml/badge.svg)](https://github.com/github/gh-aw/actions/workflows/codex-github-remote-mcp-test.lock.yml) | - | - |
diff --git a/docs/src/content/docs/reference/frontmatter-full.md b/docs/src/content/docs/reference/frontmatter-full.md
index e0eae18013..fae631480f 100644
--- a/docs/src/content/docs/reference/frontmatter-full.md
+++ b/docs/src/content/docs/reference/frontmatter-full.md
@@ -1784,10 +1784,7 @@ cache: []
 
 # Safe output processing configuration that automatically creates GitHub issues,
 # comments, and pull requests from AI workflow output without requiring write
-# permissions in the main job. When using GitHub App tokens (app:), permissions
-# are automatically narrowed per-job to match only what's needed, and tokens are
-# auto-revoked at job end. Multiple safe outputs in the same workflow receive the
-# union of their required permissions.
+# permissions in the main job
 # (optional)
 safe-outputs:
   # List of allowed domains for URI filtering in AI workflow output. URLs from other
@@ -3438,10 +3435,8 @@ safe-outputs:
   github-token: "${{ secrets.GITHUB_TOKEN }}"
 
   # GitHub App credentials for minting installation access tokens. When configured,
-  # tokens are automatically minted per-job with permissions narrowed to match the
-  # job's permissions block. Tokens are auto-revoked at job end. This enables safe
-  # use of a broadly-permissioned GitHub App because each job only receives the
-  # specific permissions it needs.
+  # a token will be generated using the app credentials and used for all safe output
+  # operations.
   # (optional)
   app:
     # GitHub App ID. Should reference a variable (e.g., ${{ vars.APP_ID }}).
diff --git a/pkg/workflow/label_trigger_parser.go b/pkg/workflow/label_trigger_parser.go
index 2bcc6c3d3b..a3128549fd 100644
--- a/pkg/workflow/label_trigger_parser.go
+++ b/pkg/workflow/label_trigger_parser.go
@@ -79,8 +79,8 @@ func parseLabelTriggerShorthand(input string) (entityType string, labelNames []s
 
 // expandLabelTriggerShorthand takes an entity type and label names and returns a map that represents
 // the expanded label trigger + workflow_dispatch configuration with item_number input.
-// Note: For discussion events, GitHub Actions doesn't support the `names` field,
-// so we use the native label filter marker but the names will be filtered via job conditions.
+// Note: For discussion events, GitHub Actions doesn't support the `labels` field,
+// so we use the native label filter marker but the labels will be filtered via job conditions.
 func expandLabelTriggerShorthand(entityType string, labelNames []string) map[string]any {
 	// Create the trigger configuration based on entity type
 	var triggerKey string
@@ -104,11 +104,19 @@ func expandLabelTriggerShorthand(entityType string, labelNames []string) map[str
 		"types": []any{"labeled"},
 	}
 
-	// Only add names field for issues and pull_request (GitHub Actions supports it)
-	// For discussions, names field is not supported by GitHub Actions
-	if entityType == "issues" || entityType == "pull_request" {
+	// Add label names for filtering
+	// For issues: GitHub Actions supports native `labels` field - use it with marker
+	// For pull_request & discussion: Use `names` field for job condition filtering (no marker)
+	//   Note: The `names` field is an internal representation for job condition generation
+	//   and won't be rendered in the final GitHub Actions YAML for these event types
+	switch entityType {
+	case "issues":
+		triggerConfig["labels"] = labelNames
+		triggerConfig["__gh_aw_native_label_filter__"] = true // Marker to use native filtering
+	case "pull_request", "discussion":
+		// For pull_request and discussion: add names field for job condition filtering
 		triggerConfig["names"] = labelNames
-		triggerConfig["__gh_aw_native_label_filter__"] = true // Marker to prevent commenting out names
+		// No marker - this will be filtered via job conditions
 	}
 
 	// Create workflow_dispatch with item_number input
diff --git a/pkg/workflow/label_trigger_parser_test.go b/pkg/workflow/label_trigger_parser_test.go
index 2fd65e2ec5..baab95b845 100644
--- a/pkg/workflow/label_trigger_parser_test.go
+++ b/pkg/workflow/label_trigger_parser_test.go
@@ -329,9 +329,19 @@ func TestExpandLabelTriggerShorthand(t *testing.T) {
 				t.Errorf("expandLabelTriggerShorthand() types = %v, want [labeled]", types)
 			}
 
-			// Check names field (only for issues and pull_request, not discussion)
+			// Check labels/names field:
+			// - For issues: uses native 'labels' field
+			// - For pull_request & discussion: uses 'names' field for job condition filtering
 			switch tt.entityType {
-			case "issues", "pull_request":
+			case "issues":
+				labels, ok := triggerConfig["labels"].([]string)
+				if !ok {
+					t.Fatalf("expandLabelTriggerShorthand() labels is not a string array for issues")
+				}
+				if !slicesEqual(labels, tt.labelNames) {
+					t.Errorf("expandLabelTriggerShorthand() labels = %v, want %v", labels, tt.labelNames)
+				}
+			case "pull_request", "discussion":
 				names, ok := triggerConfig["names"].([]string)
 				if !ok {
 					t.Fatalf("expandLabelTriggerShorthand() names is not a string array for %s", tt.entityType)
@@ -339,11 +349,6 @@ func TestExpandLabelTriggerShorthand(t *testing.T) {
 				if !slicesEqual(names, tt.labelNames) {
 					t.Errorf("expandLabelTriggerShorthand() names = %v, want %v", names, tt.labelNames)
 				}
-			case "discussion":
-				// Discussion should not have names field (GitHub Actions doesn't support it)
-				if _, hasNames := triggerConfig["names"]; hasNames {
-					t.Errorf("expandLabelTriggerShorthand() discussion should not have names field")
-				}
 			}
 
 			// Check workflow_dispatch