Workflow_dispatch by Admins only on main branch

I have a private org repo with hired consultants working on the code base with Action-based deployment to Azure.

It is unclear to me what settings I need to make it so that only Repo Admins can manually trigger the deployment action and only using the definition in the main branch. I have branch protection that requires Admin to merge to main (I think, although GitHub makes this enforcement awkward and uncertain too).

It’s hard to see what the consultants can do because of limited user accounts I have available to experiment with, but it seems to me that because the Action is on: workflow_dispatch, the developers working on their own branch are able to run the Action any time they want. I think they can also modify the Action definition in their branch and use the manual-trigger Action UI to run the action definition that they’ve modified in their branch instead of the definition in main - and that could potentially be used to leak out the secrets or other bad things.

Does GitHub offer strong security configuration for this typical need, external developers or not?