fix security issues

Author: mvadari

.github/workflows/assign-xls-number.yml

@@ -1,15 +1,54 @@
 name: Assign XLS Number
 
 on:
-  pull_request_review:
-    types: [submitted]
+  pull_request_target:
+    types: [opened, synchronize, reopened, ready_for_review]
 
 jobs:
+  check-approval:
+    runs-on: ubuntu-latest
+    name: Check for Write+ Approval
+    outputs:
+      has_write_approval: ${{ steps.check-approval.outputs.has_write_approval }}
+    steps:
+      - name: Check for write+ approval
+        id: check-approval
+        uses: actions/github-script@v7
+        with:
+          script: |
+            const { data: reviews } = await github.rest.pulls.listReviews({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              pull_number: context.payload.pull_request.number
+            });
+
+            // Get only approved reviews
+            const approvals = reviews.filter(review => review.state === 'APPROVED');
+
+            // Check each approver's permission level
+            for (const approval of approvals) {
+              const { data: permissionLevel } = await github.rest.repos.getCollaboratorPermissionLevel({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                username: approval.user.login
+              });
+
+              const permission = permissionLevel.permission;
+              if (['write', 'admin', 'maintain'].includes(permission)) {
+                console.log(`Found write+ approval from ${approval.user.login} (${permission})`);
+                core.setOutput('has_write_approval', 'true');
+                return;
+              }
+            }
+
+            console.log('No write+ approval found');
+            core.setOutput('has_write_approval', 'false');
+
   assign-xls-number:
     runs-on: ubuntu-latest
     name: Assign XLS Number to Draft
-    # Only run when the review is an approval
-    if: github.event.review.state == 'approved'
+    needs: check-approval
+    if: needs.check-approval.outputs.has_write_approval == 'true'
     permissions:
       pull-requests: write
       issues: write