[CI] Update Stylebot Permissions (#792)

.github/workflows/pr_style_bot.yml

@@ -5,17 +5,50 @@ on:
   issue_comment:
     types: [created]
 
-permissions:
-  contents: write
-  pull-requests: write
+permissions: {}
+
+env:
+  PYTHON_VERSION: "3.10"
 
 jobs:
-  run-style-bot:
+  check-permissions:
     if: >
       contains(github.event.comment.body, '@bot /style') &&
       github.event.issue.pull_request != null
     runs-on: ubuntu-latest
+    outputs:
+      is_authorized: ${{ steps.check_user_permission.outputs.has_permission }}
+    steps:
+      - name: Check user permission
+        id: check_user_permission
+        uses: actions/github-script@v6
+        with:
+          script: |
+            const comment_user = context.payload.comment.user.login;
+            const { data: permission } = await github.rest.repos.getCollaboratorPermissionLevel({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              username: comment_user
+            });
 
+            const authorized =
+              permission.permission === 'admin' ||
+              permission.permission === 'write';
+
+            console.log(
+              `User ${comment_user} has permission level: ${permission.permission}, ` +
+              `authorized: ${authorized} (admins & maintainers allowed)`
+            );
+
+            core.setOutput('has_permission', authorized);
+
+  run-style-bot:
+    needs: check-permissions
+    if: needs.check-permissions.outputs.is_authorized == 'true'
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      pull-requests: write
     steps:
       - name: Extract PR details
         id: pr_info
@@ -61,6 +94,8 @@ jobs:
 
       - name: Set up Python
         uses: actions/setup-python@v4
+        with:
+          python-version: ${{ env.PYTHON_VERSION }}
 
       - name: Get Ruff Version from pre-commit-config.yaml
         id: get-ruff-version