diff --git a/.github/workflows/e2e-label-help.yml b/.github/workflows/e2e-label-help.yml
index 517bd9b30..2a61660d2 100644
--- a/.github/workflows/e2e-label-help.yml
+++ b/.github/workflows/e2e-label-help.yml
@@ -23,6 +23,8 @@ jobs:
     runs-on: ubuntu-latest
     permissions:
       pull-requests: write
+      actions: read
+      contents: read
     steps:
       - name: Post comment
         env:
@@ -54,11 +56,12 @@ jobs:
             run_id=$(gh api "repos/$GH_REPO/actions/workflows/$workflow_file/runs?head_sha=$PR_HEAD_SHA&event=push" \
               --jq '.workflow_runs | sort_by(.created_at) | reverse | .[0].id // empty')
             if [ -n "$run_id" ]; then
-              run_link="[the existing run](https://github.com/$GH_REPO/actions/runs/$run_id)"
+              instructions="Open [the existing run](https://github.com/$GH_REPO/actions/runs/$run_id) and click **Re-run all jobs** to execute with the label set."
             else
-              run_link="[$workflow_name](https://github.com/$GH_REPO/actions/workflows/$workflow_file)"
+              workflow_link="[$workflow_name](https://github.com/$GH_REPO/actions/workflows/$workflow_file)"
+              instructions="Open $workflow_link, find the run for commit \`$short_pr\`, and click **Re-run all jobs** to execute with the label set."
             fi
-            body="Label \`$LABEL_NAME\` applied for \`$short_pr\`. Open $run_link and click **Re-run all jobs** to execute with the label set. The \`E2E Gate\` check on this PR will flip green automatically once the run finishes."
+            body="Label \`$LABEL_NAME\` applied for \`$short_pr\`. $instructions The \`E2E Gate\` check on this PR will flip green automatically once the run finishes."
           fi
 
           gh pr comment "$PR_NUMBER" --body "$body"
diff --git a/CI.md b/CI.md
index d39ecdb45..dc5ecf9fa 100644
--- a/CI.md
+++ b/CI.md
@@ -63,7 +63,7 @@ Prerequisites:
 Flow:
 
 1. Open the PR. copy-pr-bot mirrors it to `pull-request/<N>` automatically.
-2. The first push of `pull-request/<N>` runs `Branch E2E Checks`, but it skips the build/E2E jobs because no label is set yet. The PR's `E2E Gate` check stays neutral (no label, no requirement).
+2. The first push of `pull-request/<N>` runs `Branch E2E Checks`, but it skips the build/E2E jobs because no label is set yet. The PR's `E2E Gate` check passes as a no-op (no label, no requirement).
 3. A maintainer applies `test:e2e` and/or `test:e2e-gpu`. `E2E Label Help` posts a comment with a link to the existing `Branch E2E Checks` run.
 4. The maintainer opens that link and clicks **Re-run all jobs**. This time `pr_metadata` sees the label and the build/E2E jobs run.
 5. When the run finishes, the `E2E Gate` check on the PR flips to green automatically.
diff --git a/architecture/ci-e2e.md b/architecture/ci-e2e.md
index 3b4332463..c99e816c3 100644
--- a/architecture/ci-e2e.md
+++ b/architecture/ci-e2e.md
@@ -150,7 +150,7 @@ Every workflow declares `permissions: {}` at the top. Per-job grants are the min
 | `e2e-gate.yml` | `e2e`, `gpu` (`workflow_call`) | inherits via the called workflow |
 | | `rerun-on-completion` | `actions: write` |
 | `e2e-gate-check.yml` | `check` | `contents: read`, `pull-requests: read`, `actions: read` |
-| `e2e-label-help.yml` | `hint` | `pull-requests: write` |
+| `e2e-label-help.yml` | `hint` | `pull-requests: write`, `actions: read`, `contents: read` |
 
 The reusable worker workflows (`e2e-test.yml`, `e2e-gpu-test.yaml`, `docker-build.yml`) declare their own internal permissions; the calling job grants are an upper bound for them.