finalize-g4w-release: must only run in response to a manually-triggered run

The purpose of the `finalize-g4w-release` functionality is to react to a
completed `release-git` run that was triggered in a Git for Windows PR
via the `/release` slash command by a trusted user.

So far, we only validate the workflow name, though. But this workflow
could easily be triggered in a crafted PR by changing the `on:
workflow_dispatch` to `on: pull_request`.

Make sure that it was triggered via `workflow_dispatch`, which would
imply that it was triggered either by a trusted user or by Git for
Windows' automation via the GitHub App's installation access token.

Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>

Author: dscho

GitForWindowsHelper/index.js

@@ -52,6 +52,8 @@ module.exports = async function (context, req) {
     try {
         const finalizeGitForWindowsRelease = require('./finalize-g4w-release')
         if (req.headers['x-github-event'] === 'workflow_run'
+            && req.body.workflow_run?.event === 'workflow_dispatch'
+            && req.body.workflow_run?.head_branch === 'main'
             && req.body.repository.full_name === 'git-for-windows/git-for-windows-automation'
             && req.body.action === 'completed'
             && req.body.workflow_run.path === '.github/workflows/release-git.yml'