I was able to identify a common cause of failure to add labels to project in gerrittrigger. It seems that by default gerrit command does silently drop any labels which the user is not allowed to change, unless the command contains `--strict-labels` part.

Gerrit Trigger should add this by default so we could inside the logs that the message posting failed and not to silently assume that it succeeded. 

ssh <...> gerrit review 107606,16 -m 'msg' --verified -1 --code-review 0 --strict-labels
error: fatal: Applying label "Verified": -1 is restricted

fatal: one or more reviews failed; review output above

ssh <...> gerrit review 107606,16 -m 'msg' --verified -1 --code-review 0

As you can see, using strict-labels assures that Jenkins is informed about the outcome of the command.

Please note that when enabling strict, the message will NOT be posted to gerrit. In the first case the message is posted and the label change is ignored.

I think that Jenkins should try the strict first and fallback to non strict in case of failure, including the error received from gerrit on the first attempt.

This will inform the user that Gerrit permissions are wrong so they can fix them. Also this will include information in Jenkins logs, so admins can spot it.

Current behaviour is much worse, there is nothing logged anywhere indicating that the label change failed.