Whitelist github actions in code

I’d like be able to whitelist github actions in code; that is, via a version controlled file within the repository. Right now, as far as I can tell it is a per-repository setting that needs to be configured, and isn’t obvious to people who may want to contribute to the project.

I’ve seen some projects, like github/docs, write unit tests to parse and check their .github/workflows/*{yml,yaml} files against an allowed file in .github/allowed-actions.js. This seems like a workaround for this gap, but interested to see if there are other approaches.

Well, you can write something like this in user-code like github/docs does, but there will probably be no built-in support for this, as workflows are checked before execution whether they reference any actions that are not allowed - that’s also the reason why you can’t dynamically set actions.