diff --git a/ql/test/query-tests/Security/CWE-367/.github/workflows/label_actor.yml b/ql/test/query-tests/Security/CWE-367/.github/workflows/label_actor.yml
new file mode 100644
index 00000000000..1debaecf97d
--- /dev/null
+++ b/ql/test/query-tests/Security/CWE-367/.github/workflows/label_actor.yml
@@ -0,0 +1,17 @@
+# Making Label gates the only ones bypassable with TOCTOU races since actor or association ones should not be bypassable
+name: Label Trigger Test
+on:
+  pull_request_target:
+    types: [labeled]
+    branches: [main]
+
+jobs:
+  integration-tests:
+    runs-on: ubuntu-latest
+    if: github.repository_owner == 'npm' && github.actor == 'dependabot[bot]'
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          ref: ${{ github.event.pull_request.head.ref }}
+          repository: ${{ github.event.pull_request.head.repo.full_name }}
+      - run: bash label_example/tests.sh