Never run outside github actions

pkg/workflow/generator.go

@@ -86,10 +86,23 @@ func generateWorkflowYAML(data WorkflowTemplate) (string, error) {
 			},
 			"workflow_dispatch": map[string]interface{}{}, // Allow manual triggering
 		},
+		// Add environment constraints to prevent running outside GitHub Actions
+		"permissions": map[string]string{
+			"contents": "write", // Needed to push changes
+			"actions":  "read",  // Minimal action permissions
+		},
 		"jobs": map[string]interface{}{
 			"sync": map[string]interface{}{
 				"runs-on": "ubuntu-latest",
+				// Add environment check to ensure GitHub Actions environment
+				"env": map[string]string{
+					"GITHUB_ACTIONS_ENVIRONMENT": "${{ github.action }}", // Should always be set in GitHub Actions
+				},
 				"steps": []map[string]interface{}{
+					{
+						"name": "Security Check",
+						"run":  "if [ \"$GITHUB_ACTIONS_ENVIRONMENT\" == \"\" ]; then echo \"This workflow is only intended to run inside GitHub Actions\"; exit 1; fi",
+					},
 					{
 						"name": "Checkout GitHub Mirror",
 						"uses": "actions/checkout@v3",