Restrict deploy workflow repository and ref (#1817)

Fixes a hypothetical attack that has not occurred

.github/workflows/deploy.yml

@@ -12,6 +12,14 @@ concurrency:
 jobs:
   build:
     runs-on: ubuntu-latest
+
+    # If you are forking and want to set up your own website, adjust the repository and branch
+    # below to match your repository or remove the condition entirely.
+    # Because we want this workflow to have workflow_dispatch, this is also a security improvement
+    # as it means extension reviewers can't push a malicious branch then manually deploy it; it
+    # must go through the master branch and its associated review process.
+    if: ${{ github.repository == 'TurboWarp/extensions' && github.ref == 'refs/heads/master' }}
+
     steps:
       - name: Checkout
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
@@ -40,6 +48,6 @@ jobs:
     runs-on: ubuntu-latest
     needs: build
     steps:
-    - name: Deploy to GitHub Pages
-      id: deployment
-      uses: actions/deploy-pages@d6db90164ac5ed86f2b6aed7e0febac5b3c0c03e
+      - name: Deploy to GitHub Pages
+        id: deployment
+        uses: actions/deploy-pages@d6db90164ac5ed86f2b6aed7e0febac5b3c0c03e