security: add authorization checks to CI workflows: Missing authorization checks in CI workflows

[DevVaibhav07]

Summary

Add author_association authorization checks to three GitHub Actions workflows that currently allow any GitHub user to trigger them without restriction. This aligns these workflows with the existing protection used by gemini-dispatch.yml in this repository.

Changes

discussion_answering.yml

• Added author_association check requiring OWNER, MEMBER, or COLLABORATOR
• Removed ADK_GCP_SA_KEY from environment variables (unnecessary since google-github-actions/auth handles authentication via credentials file)

triage.yml

• Added author_association check for issue-triggered runs
• Scheduled runs are unaffected

pr-triage.yml

• Added author_association check for PR-triggered runs
• workflow_dispatch runs are unaffected

Context

These workflows expose sensitive secrets (ADK_GCP_SA_KEY, ADK_TRIAGE_AGENT, GOOGLE_API_KEY) and run AI agents in auto-execution mode (INTERACTIVE: 0). The gemini-dispatch.yml in this repo already uses the correct pattern:

contains(fromJSON('["OWNER","MEMBER","COLLABORATOR"]'), github.event.comment.author_association)

This PR applies the same pattern to the three unprotected workflows.

Testing Plan
Verified in fork: Opened issue #5838 and discussion #5837 on google/adk-python from an external account (DevVaibhav07, author_association: NONE). Both triage.yml and discussion_answering.yml triggered without any authorization check, confirming the gap.
Existing pattern validated: Confirmed that gemini-dispatch.yml in this repository already uses the same author_association check and works correctly for OWNER/MEMBER/COLLABORATOR users.
No impact on scheduled runs: The triage.yml change only adds the auth check to the github.event.action == 'opened' branch. The github.event_name == 'schedule' branch is untouched.
No impact on workflow_dispatch: The pr-triage.yml change only adds the auth check to the PR-triggered branch. The workflow_dispatch branch is untouched.
YAML syntax verified: All three workflow files pass GitHub Actions syntax validation (GitHub Actions Scan check is passing on this PR).

[google-cla]

Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

View this failed invocation of the CLA check for more information.

For the most up to date status, view the checks section at the bottom of the pull request.

[adk-bot]

Response from ADK Triaging Agent

Hello @DevVaibhav07, thank you for submitting this pull request!

We appreciate your effort in securing the workflows. To help us move forward with reviewing your contribution, please address the following items from our Contribution Guidelines:

1. Contributor License Agreement (CLA): It looks like the cla/google check has failed. Please ensure you have signed the Google CLA so we can review your changes.
2. Testing Plan: Please include a testing plan section in your PR description detailing how these Workflow changes were tested or can be verified (e.g., verifying workflow triggers in a fork).

This will help our maintainers review and merge your PR more efficiently. Thank you!

[DevVaibhav07]

Why this PR
While reviewing the repository's GitHub Actions workflows, I noticed that three workflows (discussion_answering.yml, triage.yml, pr-triage.yml) are missing author_association authorization checks. This means any GitHub user — including those with no relationship to the project — can trigger these workflows, which run AI agents with access to repository secrets (ADK_TRIAGE_AGENT, GOOGLE_API_KEY, ADK_GCP_SA_KEY) in auto-execution mode (INTERACTIVE: 0).

The gemini-dispatch.yml workflow in this same repository already implements the correct pattern:

contains(fromJSON('["OWNER","MEMBER","COLLABORATOR"]'), github.event.comment.author_association)
This PR applies that same check to the three unprotected workflows, ensuring only trusted contributors can trigger them.

I also removed ADK_GCP_SA_KEY from the environment variables in discussion_answering.yml since the google-github-actions/auth step already handles GCP authentication via a credentials file — passing the raw key as an env var is unnecessary.

Scheduled runs and workflow_dispatch triggers are unaffected by this change.

[DevVaibhav07]

The bug has been reported to GOOGLE and they asked me to commit the fix for the issue.

[adk-bot]

Response from ADK Triaging Agent

Hello @DevVaibhav07,

Thank you for providing the additional context about why this change is necessary! It's great to see that the Contributor License Agreement (CLA) check has now successfully passed.

However, to help our maintainers review and merge your PR efficiently, could you please provide a testing plan as required by our Contribution Guidelines? Specifically, please share how you verified these workflow changes (for example, by testing them in a personal fork of the repository).

Thank you for your valuable contribution!

[DevVaibhav07]

Testing Plan
Verified in fork: Opened issue #5838 and discussion #5837 on google/adk-python from an external account (DevVaibhav07, author_association: NONE). Both triage.yml and discussion_answering.yml triggered without any authorization check, confirming the gap.
Existing pattern validated: Confirmed that gemini-dispatch.yml in this repository already uses the same author_association check and works correctly for OWNER/MEMBER/COLLABORATOR users.
No impact on scheduled runs: The triage.yml change only adds the auth check to the github.event.action == 'opened' branch. The github.event_name == 'schedule' branch is untouched.
No impact on workflow_dispatch: The pr-triage.yml change only adds the auth check to the PR-triggered branch. The workflow_dispatch branch is untouched.
YAML syntax verified: All three workflow files pass GitHub Actions syntax validation (GitHub Actions Scan check is passing on this PR).