diff --git a/.github/workflows/pr_actions.yml b/.github/workflows/pr_actions.yml
index 53f74579053e4..0e274063e3585 100644
--- a/.github/workflows/pr_actions.yml
+++ b/.github/workflows/pr_actions.yml
@@ -9,15 +9,28 @@ jobs:
   # Action to update test results by issuing /lint
   run_lint:
     name: "On demand linting"
-    if: ${{ github.event.issue.pull_request &&  github.event.comment.body == '/lint' }}
+    if: |
+      ${{
+        github.event.issue.pull_request &&
+        github.event.comment.body == '/lint' &&
+        contains(fromJSON('["COLLABORATOR", "CONTRIBUTOR", "MEMBER", "OWNER"]'), github.event.comment.author_association)
+      }}
     runs-on: ubuntu-latest
     steps:
+    - name: Get branch name
+      # see https://github.com/actions/checkout/issues/331
+      id: get-branch
+      run: echo ::set-output name=branch::$(gh pr view $PR_NO --repo $REPO --json headRefName --jq '.headRefName')
+      env:
+        REPO: ${{ github.repository }}
+        PR_NO: ${{ github.event.issue.number }}
+        GITHUB_TOKEN: ${{ secrets.RELEASE_PLEASE_TOKEN }}
     - name: Checkout
       uses: actions/checkout@v4
       with:
         fetch-depth: 1
         # grab the PR branch
-        ref: ${{ github.event.pull_request.head.ref }}
+        ref: ${{ steps.get-branch.outputs.branch }}
         # We can't use GITHUB_TOKEN here because, github actions can't trigger actions
         # see: https://docs.github.com/en/actions/security-guides/automatic-token-authentication#using-the-github_token-in-a-workflow
         # So this is a personal access token
@@ -45,15 +58,28 @@ jobs:
   # Action to update test results by issuing /update_tests_results
   update_test_results:
     name: "On demand Update Tests Results"
-    if: ${{ github.event.issue.pull_request &&  github.event.comment.body == '/update_tests_results' }}
+    if: |
+      ${{
+        github.event.issue.pull_request &&
+        github.event.comment.body == '/update_tests_results' &&
+        contains(fromJSON('["COLLABORATOR", "CONTRIBUTOR", "MEMBER", "OWNER"]'), github.event.comment.author_association)
+      }}
     runs-on: ubuntu-latest
     steps:
+    - name: Get branch name
+      # see https://github.com/actions/checkout/issues/331
+      id: get-branch
+      run: echo ::set-output name=branch::$(gh pr view $PR_NO --repo $REPO --json headRefName --jq '.headRefName')
+      env:
+        REPO: ${{ github.repository }}
+        PR_NO: ${{ github.event.issue.number }}
+        GITHUB_TOKEN: ${{ secrets.RELEASE_PLEASE_TOKEN }}
     - name: Checkout
       uses: actions/checkout@v4
       with:
         fetch-depth: 1
         # grab the PR branch
-        ref: ${{ github.event.pull_request.head.ref }}
+        ref: ${{ steps.get-branch.outputs.branch }}
         # We can't use GITHUB_TOKEN here because, github actions can't trigger actions
         # see: https://docs.github.com/en/actions/security-guides/automatic-token-authentication#using-the-github_token-in-a-workflow
         # So this is a personal access token