diff --git a/.github/workflows/format-pr.yml b/.github/workflows/format-pr.yml
index 5eacfb0072..20beba0bf0 100644
--- a/.github/workflows/format-pr.yml
+++ b/.github/workflows/format-pr.yml
@@ -44,7 +44,14 @@ jobs:
   # Important to have no permissions for this because the code can't be trusted.
   comment-format-untrusted:
     runs-on: ubuntu-latest
-    if: github.event_name == 'issue_comment' && github.event.issue.pull_request && contains(github.event.comment.body, '!format')
+    if: |
+      github.event_name == 'issue_comment' &&
+      github.event.issue.pull_request &&
+      contains(github.event.comment.body, '!format') &&
+      (
+        github.event.comment.author_association == 'MEMBER' ||
+        github.event.comment.user.id == github.event.issue.user.id
+      )
     permissions: {}
     steps:
       - name: Checkout upstream