Question

Is there some way to set per-label permissions in GitHub?

Background / Context

I'm working on CI/CD pipelines for a project, the code for which is hosted under a GitHub Enterprise account, using GitHub Actions.

I'm hoping to control the process through labels on a PR. The manual key points of this process are outlined below:

When someone creates a PR to master, the CI pipeline kicks off and creates an image and pushes it to AWS ECR. NB: A lot of other stuff also happens here; e.g. linting, vulnerability scanning, automated testing, etc; but needs no manual involvement. If things fail the PR is rejected & no image is pushed to ECR.
The QA team apply the label ApprovedForUAT which checks there are no competing labels (e.g. or ApprovedForUAT or DeployedToUAT labeled PRs; if there are it fails until this is corrected), then kicks off the CD pipeline to deploy that image to our UAT environment.
Once the image is successfully deployed to UAT, the CD pipeline removes the ApprovedForUAT label and applies the DeployedToUAT label.
Once manual testing is completed, the QA team apply the label PassedUAT or FailedUAT as appropriate; a pipeline checks that the label DeployedToUAT had been present to ensure this status update is valid. If things fail, the image is removed from ECR.
The release manager then applies the label ApprovedForProd (can only be applied if the label PassedUAT is already present), causing the CD pipeline to run at a predetermined time to update production with the new image, and removes the ApprovedForProd label, and closes the pull request as complete.

The following roles should only be able to apply the given workflow labels: