Add sha_pinning_required check for GitHub Actions permissions

[Copilot]

Overview

This PR implements support for the new sha_pinning_required field that GitHub recently added to the Actions permissions API endpoints. This security feature ensures that workflow actions are referenced by their full commit SHA rather than by tag or branch, preventing potential supply chain attacks.

Changes

API Integration

Added support for retrieving the sha_pinning_required field from:

• GET /repos/{owner}/{repo}/actions/permissions - Repository-level actions permissions
• GET /orgs/{org}/actions/permissions - Organization-level actions permissions (new endpoint integration)

Repository-Level Checks

Updated ActionsChecks.ts to validate sha_pinning_required setting:

• Extracts the field from the repository actions permissions API response
• Compares against policy configuration
• Includes the check in both standard and "selected" permission validation flows
• Check passes automatically if not defined in policy (optional field)

Organization-Level Checks

Created new OrgActionsChecks.ts evaluator to check organization-wide actions settings:

• Validates enabled_repositories - which repos can use GitHub Actions (all/none/selected)
• Validates allowed_actions - which actions can be used (all/local_only/selected)
• Validates sha_pinning_required - whether SHA pinning is enforced

Policy Configuration

Repository Policy (policies/repository.yml):

actions:
  permission: selected
  selected:
    github_owned_allowed: true
    verified_allowed: true
    patterns_allowed:
      - "veracode/*"
      - "dcodx/*"
  sha_pinning_required: true  # NEW

Organization Policy (policies/organization.yml):

# NEW section
actions:
  enabled_repositories: all
  allowed_actions: all
  sha_pinning_required: true

Note: The repository policy field was renamed from allowed_actions to actions for consistency with the organization policy structure.

Documentation

Updated both repository.readme.md and organization.readme.md with:

• Explanation of sha_pinning_required parameter
• Security benefits of SHA pinning
• Configuration examples
• Full documentation of organization-level actions checks

Type Definitions

• Created Actions interface (renamed from AllowedActions) to include optional sha_pinning_required field
• Added actions section to OrgPolicy interface
• Updated RepoPolicy to use actions: Actions instead of allowed_actions: AllowedActions
• Used type casting for API responses since the field is new and not yet in @octokit/types

Testing

• ✅ Build completes successfully
• ✅ All code formatted with Prettier
• ✅ TypeScript compilation passes
• ✅ No linting errors

Security Impact

This change enables organizations to enforce SHA pinning for GitHub Actions, which:

• Prevents actions from being modified after initial use via tag updates
• Ensures exact action versions are executed
• Mitigates supply chain attack vectors
• Provides auditability for action usage

Closes #

Original prompt

---

This section details on the original issue you should resolve

<issue_title>Add new "sha_pinning_required" check under allowed_actions policy</issue_title>
<issue_description>

• GET /orgs/{org}/actions/permissions
• GET /repos/{owner}/{repo}/actions/permissions

requests now returns a new setting in the response ( "sha_pinning_required": true or false)

For GET /orgs/{org}/actions/permissions
{
"enabled_repositories": "all",
"allowed_actions": "selected",
"selected_actions_url": "https://api.github.com/organizations/42/actions/permissions/selected-actions",
"sha_pinning_required": true
}

For GET /repos/{owner}/{repo}/actions/permissions

{
"enabled": true,
"allowed_actions": "selected",
"selected_actions_url": "https://api.github.com/repositories/42/actions/permissions/selected-actions",
"sha_pinning_required": true
}

• Add sha_pinning_required to the policy under allowed_actions repository yml policy
• Add actions in the organization policy and add the checks returned by GET /orgs/{org}/actions/permissions
• Check for it in the code
• Update readme
  </issue_description>

Comments on the Issue (you are @copilot in this section)

Fixes #27

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

[david3107]

@copilot In the yaml policy repo file we should change the wording from allowed_actions to actions to be consistent with the org checks.

[Copilot]

@copilot In the yaml policy repo file we should change the wording from allowed_actions to actions to be consistent with the org checks.

Done! Renamed allowed_actions to actions in the repository policy for consistency with the organization policy.

Changes made in commit 0f8c2a6:

• Updated policies/repository.yml to use actions instead of allowed_actions
• Renamed AllowedActions interface to Actions in type definitions
• Updated RepoPolicy interface to use actions: Actions
• Updated all references in ActionsChecks.ts to use policy.actions
• Updated RepoPolicyEvaluator.ts to check policy.actions
• Updated documentation in repository.readme.md