chore: refer to pinned version of action (#18) #40

	name: 🚀🔐 Deploy Actions allow list

	on:
	push:
	branches: [main]
	paths:
	- github-actions-allow-list.yml
	- .github/workflows/actions-allow-list.yml
	pull_request:
	branches: [ main ]
	workflow_dispatch:

	jobs:
	run:
	runs-on: ubuntu-latest

	permissions: read-all

	steps:
	- name: Checkout
	uses: actions/checkout@v4

	- uses: actions/create-github-app-token@v2
	id: app-token
	with:
	app-id: ${{ vars.APP_ID }}
	private-key: ${{ secrets.PRIVATE_KEY }}
	owner: ${{ github.repository_owner }}

	- name: validate yml
	run: \|
	if yq eval github-actions-allow-list.yml; then
	echo "Actions YML is valid"
	else
	echo "Actions YML validation failed"
	exit 1
	fi

	# if using Enterprise, use the `/enterprises/<enterprise-slug>` endpoint
	# and PAT - can't use GitHub app at Enterprise at Enterprise level
	- name: Enable Actions Policy in Org
	if: github.event_name != 'pull_request'
	env:
	GH_TOKEN: ${{ steps.app-token.outputs.token }}
	run: \|
	gh api -X PUT /orgs/${{ github.repository_owner }}/actions/permissions \
	-f enabled_repositories='all' \
	-f allowed_actions='selected'

	gh api -X PUT /orgs/${{ github.repository_owner }}/actions/permissions/selected-actions \
	-F github_owned_allowed=true \
	-F verified_allowed=true

	- name: Deploy GitHub Actions allow list
	if: github.event_name != 'pull_request'
	uses: ActionsDesk/github-actions-allow-list-as-code-action@013d3b0b014f3a7656c5b0a28c00fe8c7e41b5e3 # v3.1.0
	with:
	token: ${{ steps.app-token.outputs.token }}
	organization: ${{ github.repository_owner }}
	allow_list_path: github-actions-allow-list.yml

Provide feedback