Tighter security than Personal Access Token for HTTP API call?

Hi! I’ve been playing around with the idea of writing a comment system for GitHub Pages (Jekyll) sites using purely Jekyll, client-side Javascript, and GitHub Actions. However I think I’ve found a security weakness that any such system would have, that there isn’t an answer to.

My idea was to create a workflow_dispatch event that would be called via HTTP POST, and would handle the comment appropriately. This is possible according to the docs, but the client has to authenticate by providing a valid Personal Access Token that has at least the repo scope. This gives quite a lot of power to whoever has that token, and in a system like I am proposing, this would have to be in the client-side JS - therefore, essentially, public on the web.

Even if I were to create a separate GitHub user to handle the actions, this still results in anyone who can “view source” being given the power to create repositories as that user, and potentially use that user account for unintended purposes.

I was wondering if anyone had done something like this before, or if anyone out there in the community has a clever idea to work around this problem? As far as I can tell, I’m stuck - I just can’t use GitHub Actions for this in a secure way. But if you have any ideas, please let me know!