test: prevent dependabot to publish (#5167)

* Initial plan

* Generalize bot username check to include any [bot] username

* Restrict publish permission to Dependabot only

* Apply suggestions from code review

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: Maximilian Franzke <787658+mfranzke@users.noreply.github.com>

Author: Copilot

scripts/tests/github/get-release.spec.ts

@@ -35,4 +35,22 @@ describe('build-gh-page', () => {
 			"Command failed: npx --no tsx github/get-release.ts\nYour tag has to start with 'v'"
 		);
 	});
+
+	test('bot should be blocked', async () => {
+		process.env.GITHUB_REF = 'refs/tags/v1.2.3';
+		process.env.GITHUB_ACTOR = 'dependabot[bot]';
+		process.env.GITHUB_COMMITISH = 'main';
+		process.env.GITHUB_PRE_RELEASE = 'false';
+		let result: string;
+		try {
+			result = execSync(command).toString();
+		} catch (error) {
+			// eslint-disable-next-line @typescript-eslint/no-unsafe-assignment
+			result = error.message;
+		}
+
+		expect(result.toString().trim()).toEqual(
+			'Command failed: npx --no tsx github/get-release.ts\nDependabot has no permission to publish!'
+		);
+	});
 });