Is it possible to only allow some branches to trigger Github actions?

Question

I was wondering if there were a way to restrict the branches that can trigger an action. Here is my use case.

I have a repository that have a workflow. This workflow deploys the code to my prod when there's a push on master only with the deploy_to_prod action. Someone decides to create a develop branch. He pushes on this branch a modification of the workflow to trigger the workflow anytime someone pushes to master or develop. It means he is now able to push develop on the prod environment without restriction and thus a branch protection on master is useless.

Am I missing something ? Do you have some mitigations policy to avoid this situation ? I have thought about restricting the branches that could trigger a workflow but I am not sure it would be sufficient and or possible.

• Can we protect the modification of workflows without having been merged to master for example ?
• Could we add a notification policy when those files are changed ?
• Could we restrict some runners to some branches (runners that have specific rights) ?

Thanks