As companies start using GitHub Actions they quickly learn to follow best practices and fork over the action repositories. From that a lot of questions come up: how do we do this in a secure way? What checks can we run on those actions, can we do that before our users can use those actions?
The process and reasoning around this has been documented in this blogpost from Rob: from the why you need to do this to the automation part around this. Read on to learn how to set things up in your organization as well!