Enhance PR workflow to check for author

Added logic to check for the author of the pull request.

Signed-off-by: James Cole <james@firefly-iii.org>

.github/pull_request_template.md

@@ -38,9 +38,11 @@ Example: Fixes #1234. See also #3456.
 
 #### AI usage disclosure
 <!--
-If AI tools were involved in creating this PR, please check all boxes that apply
+If AI tools were involved in creating this PR, please check all boxes that apply 
 below and make sure that you adhere to our Automated Contributions Policy:
 https://docs.firefly-iii.org/explanation/support/#automated-contributions-policy
+
+If you remove or skip this disclosure, your PR may be ignored.
 -->
 I used AI assistance for:
 - [ ] Code generation (e.g., when writing an implementation or fixing a bug)

.github/security.md

@@ -3,6 +3,15 @@
 Firefly III is an application to manage your personal finances. As such, the developer has adopted this security
 disclosure and response policy to ensure that critical issues are responsibly handled.
 
+## AI-generated security advisories
+
+> [!WARNING]  
+> Due to a large number of irrelevant, noisy and uninformed AI-generated security advisories coming my way, reporting any the following security issues may result in a permanent ban from the Firefly III organization on GitHub.
+
+1. Any SSRF in any user provided URL field (webhooks, ntfy, SimpleFIN, Slack). It's by design that users may set-up any URL they want, be it internal, private or non-existing.
+2. Any XSS issue without a viable attack tree. If you can find a spot where Firefly III or the associated tools render unescaped data, it's not a security issue unless you can show me an actual attack that gets that data into the system.
+3. Any issue that is not true. AI models have already *hallucinated* security issues in Firefly III. They've referred to **non-existing** functions, templates and files. Including line numbers and code excerpts. Validate your findings before you report them to me.
+
 ## Supported versions
 
 Only the latest Firefly III release is maintained. Applicable fixes, including security fixes, will not be backported to

.github/workflows/depsreview.yml

@@ -13,4 +13,4 @@ jobs:
         with:
           fetch-depth: 0
       - name: 'Dependency review'
-        uses: actions/dependency-review-action@v4
+        uses: actions/dependency-review-action@v5

.github/workflows/pr-reply-no-disclosure.yml

@@ -0,0 +1,66 @@
+name: 'PRs - Check for AI disclosure'
+
+# the workflow to execute on is comments that are newly created
+on:
+  pull_request:
+    types: [ opened ]
+
+# permissions needed for reacting to IssueOps commands on issues and PRs
+permissions:
+  contents: read
+  pull-requests: write
+  issues: write
+  checks: read
+
+jobs:
+  respond:
+    runs-on: ubuntu-latest
+    steps:
+      - run: |
+          BODY=$(gh pr view $NUMBER --json body)
+          AUTHOR=$(gh pr view $NUMBER --json author)
+
+          if [[ $BODY == *"app/dependabot"* ]]; then
+            echo "Is dependabot, stop"
+            exit 0
+          fi
+
+          # I used AI assistance for:
+          # - [ ] Code generation (e.g., when writing an implementation or fixing a bug)
+          # - [ ] Test/benchmark generation
+          # - [ ] Documentation (including examples)
+          # - [ ] Research and understanding
+
+
+
+          # $BODY must contain one of these four uses.
+          if [[ $BODY != *"Code generation"* &&
+                $BODY != *"Test/benchmark generation"* &&
+                $BODY != *"Documentation"* &&
+                $BODY != *"Research and understanding"* &&
+                $BODY != *"I used AI assistance for"* ]]; then
+            MESSAGE="Hi there!
+
+          This is an automated reply. \`Share and enjoy\`
+
+          You triggered an automated reply, because it seems you removed or changed the AI assistance disclosure from the PR template. Without a valid disclosure, your PR cannot be processed.
+
+          Even if you did not use AI, this disclosure must be present. Please reply to your PR and explain your use of AI in any or all of the following areas:
+
+          1. Code generation (e.g., when writing an implementation or fixing a bug)
+          2. Test/benchmark generation
+          3. Documentation (including examples)
+          4. Research and understanding
+
+          There cannot be interaction with your PR without this disclosure.
+
+          If the disclosure is present but the bot did not pick up on it, please accept my apologies for the intrusion. Contrary to other bots, this one is just a simple \`bash\` script and it may be wrong."
+
+            gh pr comment "$NUMBER" --body "$MESSAGE"
+            echo "Triggered on AI disclosure missing."
+            exit 0
+          fi
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GH_REPO: ${{ github.repository }}
+          NUMBER: ${{ github.event.pull_request.number }}