feat(github-actions): add ability to look up org restrictions for action versions

As noted in #39745, it would be useful to prevent Renovate from raising PRs when it's known that the organisation will block an update to the Action(s).

[Via](https://github.com/renovatebot/renovate/discussions/39745#discussioncomment-15148394) we can use [the API](https://docs.github.com/en/enterprise-cloud@latest/rest/actions/permissions?apiVersion=2022-11-28&versionId=enterprise-cloud%40latest&category=code-security&subcategory=configurations#get-allowed-actions-and-reusable-workflows-for-an-organization) to query what restrictions are in place, and apply that accordingly to the update(s).

This would cover:

Outstanding questions:

- what happens to a branch when it contains an update that would be blocked?
  - Should the `BranchResult` be marked as `error` or `needs-approval`?
  - Should those updates be filtered?
- Should this introduce a new internal check i.e. `renovate/organisation-policy-restriction`, which can then work alongside `internalChecksFilter`?

Out of scope:

- Looking up "Marketplace [verified creators](https://github.com/marketplace?type=actions&verification=verified_creator)"


Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

feat(github-actions): add ability to look up org restrictions for action versions #39802

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

feat(github-actions): add ability to look up org restrictions for action versions #39802

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions