Feature: support auditing (composite) actions

[jku]

Pre-submission checks

• I am not reporting a bug (crash, false positive/negative, etc). These must be filed via the bug report template.
• I have looked through the open issues for a duplicate request.

What's the problem this feature will solve?

Action.yml, especially when the action is a composite action, can have many of the same pitfalls that ẃorkflows do: being able to audit them would be great.

Currently zizmore fails with

failed to register workflow

Caused by:
    0: couldn't load workflow from file
    1: invalid GitHub Actions workflow: "my-action/action.yml"
    2: missing field `on`

Describe the solution you'd like

• zizmor should ideally work on actions.yml files in general
• composite actions would benefit the most since they are much like workflows

This should be doable since the composite actions syntax is fairly similar to workflows (but it also might not be trivial since there are so many small differences).

Additional context

No response

[woodruffw]

Thanks @jku! This is listed in the roadmap in #1, but it's great to have a separate issue for this as well.

I agree about the value of doing this -- I'll be looking into initial support in the coming weeks. The underlying data models already support action definitions well, it's mostly just a matter of defining an ActionAudit or similar trait.

[woodruffw]

#188 gets us a bit closer to composite action auditing by adding the Audit supertrait, which the future ActionAudit can then compose over.

[woodruffw]

A basic version of this has landed with #331, with some initial audit support. Implementation for the rest of the audits is tracked in #350!