From 661016f5f0c1fafe460405ed689f334c5d0848ef Mon Sep 17 00:00:00 2001
From: demirjs <41634504+hsndmr@users.noreply.github.com>
Date: Wed, 25 Jun 2025 11:37:22 +0300
Subject: [PATCH] Enhance GitHub Actions workflow to ensure only authorized
 user can publish from main branch

---
 .github/workflows/publish.yml | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index d4d9782..f20fa4f 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -28,6 +28,25 @@ jobs:
       - name: Install dependencies
         run: pnpm install
 
+      - name: Ensure tag is from main branch and by trusted user
+        run: |
+          TRUSTED_USER="hsndmr"
+
+          if [ "$GITHUB_ACTOR" != "$TRUSTED_USER" ]; then
+            echo "Unauthorized user: $GITHUB_ACTOR. Only $TRUSTED_USER can publish."
+            exit 1
+          fi
+
+          git fetch origin main --depth=1
+
+          BRANCH=$(git branch -r --contains ${{ github.sha }} | grep origin/main || true)
+          if [ -z "$BRANCH" ]; then
+            echo "Tag is not from main branch. Aborting publish."
+            exit 1
+          fi
+
+          echo "Tag is from main branch and user is authorized. Continuing."
+
       - name: Copy root files into package
         run: |
           cp README.md CHANGELOG.md ./packages/reactotron-react-query/