cascading-run (push): validate event's sender

While a `push` that we already verified came from the `main` branch kind
of implies that the person pushing that branch has write permissions,
let's just add the usual permission check, too. Security is a game of
layers.

Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>

Author: dscho

GitForWindowsHelper/cascading-runs.js

@@ -271,13 +271,16 @@ const handlePush = async (context, req) => {
     const pushRepo = req.body.repository.name
     const ref = req.body.ref
     const commit = req.body.after
+    const sender = req.body.sender.login
 
     if (pushOwner !== 'git-for-windows' || pushRepo !== 'git') {
         throw new Error(`Refusing to handle push to ${pushOwner}/${pushRepo}`)
     }
 
     if (ref !== 'refs/heads/main') return `Ignoring push to ${ref}`
 
+    if (!await isAllowed(sender)) throw new Error(`${sender} is not allowed to do that`)
+
     // See whether there was are already a `tag-git` check-run for this commit
     const { listCheckRunsForCommit, queueCheckRun, updateCheckRun } = require('./check-runs')
     const gitToken = await getToken(context, pushOwner, pushRepo)