update workflow for security

wilson-cl · wilson-cl · commit 382f55e77f28 · 2025-12-04T15:55:26.000+08:00
diff --git a/.github/workflows/generate-ea.yml b/.github/workflows/generate-ea.yml
@@ -30,6 +30,21 @@ jobs:
       id-token: write # Required for GCP authentication
 
     steps:
+      - name: Check commenter permissions
+        if: github.event_name == 'issue_comment'
+        uses: actions/github-script@v7
+        with:
+          script: |
+            const { data: permission } = await github.rest.repos.getCollaboratorPermissionLevel({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              username: context.actor
+            });
+            if (!['admin', 'write'].includes(permission.permission)) {
+              core.setFailed('Only collaborators with write access can trigger this workflow');
+            }
+            console.log(`User ${context.actor} has ${permission.permission} permission`);
+
       - name: Get PR details (for comment trigger)
         if: github.event_name == 'issue_comment'
         id: pr
@@ -52,7 +67,7 @@ jobs:
           token: ${{ github.token }}
 
       - name: Install uv
-        uses: astral-sh/setup-uv@v4
+        uses: astral-sh/setup-uv@e4db8464a088ece1b920f60402e813ea4de65b8f # v4
 
       - name: Set up Python
         uses: actions/setup-python@v5.2.0
