[FEATURE]: Lock Down GitHub Actions

## Feature

Immediately update our org-wide GitHub Actions default policy configurations to the following:

- Change the [default permission](https://docs.github.com/en/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#configuring-the-default-github_token-permissions) of the `GITHUB_TOKEN` to be read-only for `contents` and `packages` .
- Require GitHub Actions workflows to be [pinned by SHA](https://docs.github.com/en/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#managing-github-actions-permissions-for-your-organization).
- Require GitHub Actions to be [explicitly approved](https://docs.github.com/en/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#configuring-required-approval-for-workflows-from-public-forks) for [participants](https://github.com/shipwright-io/community/blob/main/CONTRIBUTOR-LADDER.md#participants) . 

## Background

Recent software supply chain attacks have exposed critical weaknesses in GitHub Actions defaults. This proposes _**immediate, potentially breaking changes**_ to how we manage GitHub Actions permissions. 

I am proposing this change as part of the Shipwright community's response to the [Trivy ecosystem compromise](https://github.com/aquasecurity/trivy/security/advisories/GHSA-69fq-xp46-6x23).

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[FEATURE]: Lock Down GitHub Actions #300

Feature

Background

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

[FEATURE]: Lock Down GitHub Actions #300

Description

Feature

Background

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions