✨ Roll out restricted GitHub Actions across Platform repos

[jasonBirchall]

User Need

As a platform engineer
I want to enable the new “restricted runnable actions” configuration across Platform Engineering repositories
so that only trusted actions (GitHub-owned and vetted patterns) can run, with a clear exception path.

---

What’s Needed

• Opt-in restricted actions for all Platform repos using repos.yml sets introduced in PR GitHub: restrict runnable actions #2646.
• Define trusted patterns list (documented) and an exception process (who approves, where recorded).
• Short runbook: how teams add a needed action (pinned SHA), how to request an exception.
• Add a CI check (scanner) to flag untrusted/unpinned actions in PRs.
• Plan an org-level default (future ticket) via actions_organization_permissions after Platform rollout.

---

Acceptance Criteria

• All Platform repos have restrict_github_actions.enabled=true with the agreed set applied.
• CI prevents new untrusted/unpinned actions from merging.
• Docs published and shared in Slack; teams acknowledge.

---

User Comms Plan (if applicable)

• Slack announcement in #govuk-platform-engineering-team with docs.
• 15-minute show-and-tell walking through the new feature in techfortnightly.

---

Assumptions (optional)

• No breaking workflows once trusted patterns are set; outliers handled via exceptions.
• We can iterate patterns without org-wide enforcement initially.

---

Risks & Mitigation (optional)

---

Notes

• Based on Issue Pin untrusted GitHub Actions to a commit SHA #1937 and Draft PR GitHub: restrict runnable actions #2646 (Terraform uses github_actions_repository_permissions; org defaults later via actions_organization_permissions). ([GitHub][1])

[nicholsj]

Marking as high urgency to prompt discussion in backlog refinement

[nicholsj]

[Backlog refinement] Agreed to change to Medium urgency

[dj-maisy]

[Refinement] We will solve this another way.