fix: resolve #355 - PR Agent 无权限校验，存在密钥泄露与滥用风险

dreamhunter2333 · dreamhunter2333 · commit e1185760e7f3 · 2026-03-10T10:26:49.000+08:00
diff --git a/.github/workflows/pr-agent.yml b/.github/workflows/pr-agent.yml
@@ -5,7 +5,27 @@ on:
   issue_comment:
 jobs:
   pr_agent_job:
-    if: ${{ github.event.sender.type != 'Bot' }}
+    if: >-
+      ${{
+        github.event.sender.type != 'Bot' &&
+        (
+          (
+            github.event_name == 'pull_request' &&
+            contains(
+              fromJSON('["OWNER","MEMBER","COLLABORATOR"]'),
+              github.event.pull_request.author_association
+            )
+          ) ||
+          (
+            github.event_name == 'issue_comment' &&
+            github.event.issue.pull_request &&
+            contains(
+              fromJSON('["OWNER","MEMBER","COLLABORATOR"]'),
+              github.event.comment.author_association
+            )
+          )
+        )
+      }}
     runs-on: ubuntu-latest
     permissions:
       issues: write
