From 51e3493ed0a612cc88cada5d5734de41797febdc Mon Sep 17 00:00:00 2001
From: DevVaibhav07 <dev.vaibhavk@gmail.com>
Date: Fri, 5 Jun 2026 09:32:57 +0530
Subject: [PATCH] security: add author_association authorization checks to CI
 workflows

---
 .github/workflows/discussion_answering.yml | 14 +++++++++++---
 .github/workflows/pr-triage.yml            |  7 ++++++-
 .github/workflows/triage.yml               |  5 ++++-
 3 files changed, 21 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/discussion_answering.yml b/.github/workflows/discussion_answering.yml
index c5e2209137..da59b2cf1c 100644
--- a/.github/workflows/discussion_answering.yml
+++ b/.github/workflows/discussion_answering.yml
@@ -12,8 +12,17 @@ permissions:
 jobs:
   agent-answer-questions:
     if: >-
-      (github.event_name == 'discussion' && github.event.discussion.category.name == 'Q&A') ||
-      (github.event_name == 'discussion_comment' && contains(github.event.comment.body, '@adk-bot') && github.event.sender.login != 'adk-bot')
+      (
+        github.event_name == 'discussion' &&
+        github.event.discussion.category.name == 'Q&A' &&
+        contains(fromJSON('["OWNER","MEMBER","COLLABORATOR"]'), github.event.discussion.author_association)
+      ) ||
+      (
+        github.event_name == 'discussion_comment' &&
+        contains(github.event.comment.body, '@adk-bot') &&
+        github.event.sender.login != 'adk-bot' &&
+        contains(fromJSON('["OWNER","MEMBER","COLLABORATOR"]'), github.event.comment.author_association)
+      )
     runs-on: ubuntu-latest
 
     steps:
@@ -39,7 +48,6 @@ jobs:
       - name: Run Answering Script
         env:
           GITHUB_TOKEN: ${{ secrets.ADK_TRIAGE_AGENT }}
-          ADK_GCP_SA_KEY: ${{ secrets.ADK_GCP_SA_KEY }}
           GOOGLE_CLOUD_PROJECT: ${{ secrets.GOOGLE_CLOUD_PROJECT }}
           GOOGLE_CLOUD_LOCATION: ${{ secrets.GOOGLE_CLOUD_LOCATION }}
           VERTEXAI_DATASTORE_ID: ${{ secrets.VERTEXAI_DATASTORE_ID }}
diff --git a/.github/workflows/pr-triage.yml b/.github/workflows/pr-triage.yml
index 13199667de..3071945dce 100644
--- a/.github/workflows/pr-triage.yml
+++ b/.github/workflows/pr-triage.yml
@@ -12,7 +12,12 @@ on:
 
 jobs:
   agent-triage-pull-request:
-    if: github.event_name == 'workflow_dispatch' || !contains(github.event.pull_request.labels.*.name, 'google-contributor')
+    if: >-
+      github.event_name == 'workflow_dispatch' ||
+      (
+        !contains(github.event.pull_request.labels.*.name, 'google-contributor') &&
+        contains(fromJSON('["OWNER","MEMBER","COLLABORATOR"]'), github.event.pull_request.author_association)
+      )
     runs-on: ubuntu-latest
     permissions:
       pull-requests: write
diff --git a/.github/workflows/triage.yml b/.github/workflows/triage.yml
index 396d1647bd..19247a0315 100644
--- a/.github/workflows/triage.yml
+++ b/.github/workflows/triage.yml
@@ -17,7 +17,10 @@ jobs:
     if: >-
       github.repository == 'google/adk-python' && (
         github.event_name == 'schedule' ||
-        github.event.action == 'opened'
+        (
+          github.event.action == 'opened' &&
+          contains(fromJSON('["OWNER","MEMBER","COLLABORATOR"]'), github.event.issue.author_association)
+        )
       )
     permissions:
       issues: write