From 016e4c90e0f2cd8047a2943d39a7d61acb90f591 Mon Sep 17 00:00:00 2001
From: Val Alexander <bunsthedev@gmail.com>
Date: Fri, 5 Jun 2026 16:58:27 -0700
Subject: [PATCH] fix(ci): restrict auto release marker to release bot

---
 .github/workflows/auto-release.yml | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/auto-release.yml b/.github/workflows/auto-release.yml
index 185a7ac..b279bfc 100644
--- a/.github/workflows/auto-release.yml
+++ b/.github/workflows/auto-release.yml
@@ -2,7 +2,7 @@ name: Auto Release (commit marker)
 
 # Two flows, both driven by markers in the head commit message:
 #
-#   --release vMAJOR.MINOR.PATCH
+#   --release vMAJOR.MINOR.PATCH  (restricted to OpenCoven release bot)
 #       Cut a brand-new release.  The requested tag must be strictly greater
 #       (semver) than the highest existing tag, and must not already exist.
 #       Stamps the version across Cargo.toml/lock, npm, README, docs, and the
@@ -36,8 +36,11 @@ concurrency:
   cancel-in-progress: false
 
 jobs:
+  # Restricted to the release bot so contributor-controlled PR titles or
+  # commit messages cannot authorize a release when a maintainer merges them.
   auto-release:
     runs-on: ubuntu-latest
+    if: github.actor == 'opencoven-bot'
 
     steps:
       # ── 0. Skip our own bump commits ──────────────────────────────────