You can try:
- set up org secrets,
- write an action to do your work,
- create a template repository that has workflow(s) that use the action.
You could probably also have an org project which has a workflow with a
schedule that checks the other org projects’ workflows and complains if it finds some that aren’t using the action (bonus point for complaining about the version of the action, since you can use that to recognize when workflows are out of date – you might even be able to have it automate PRs to update the workflows…), but note that it’ll get turned off if the repository doesn’t see pushes periodically, so odds are it’ll be off w/in 6 months.
n.b. I haven’t done something like this. We do have a template repository w/ a workflow or two, and we’re starting to rely on dependabot to track updates for actions (but it’s flaky, e.g. it doesn’t distinguish between unreleased and released versions of actions).