When using Github Actions for Continuous Deployment, it seems as though any colaborator on the team could work around the system in the following ways:
An obvious solution would be to implement "Protected Secrets" with a checkbox much like Gitlab does for "Protected environment variables"... "Protected Secrets" would only be passed to actions running on protected branches.
For your first scenario, if you use on: push in your workflow file on non-deployment branches , it will be triggered when you push the change. You could use paths ignore to exclude changes of workflow file . https://help.github.com/en/actions/automating-your-workflow-with-github-actions/workflow-syntax-for-...
For the second one, you could share your idea in the Feedback form for GitHub Actions.