Update CODEOWNERS to require admin approval for workflow changes

[MattIPv4]

Pulling this out of Slack: https://openjs-foundation.slack.com/archives/CVAMEJ4UV/p1752615217869729

When a hash is changed for an action being used in a workflow, the allowlist in the repository settings must be updated by a repo admin to add the new hash.

As such, all workflow changes should require explicit approval from a repo admin before they land, to ensure that the repo admin is able to update the allowlist so that we don't land a disallowed hash into main.

Blocked by nodejs/admin#984 as this'll require the new @nodejs/web-admins team.

[bjohansebas]

I'd prefer to stop pinning to hashes in the allowed list of actions instead of continuing with this manual task (I know I'm not the one doing it, but it's still maintenance overhead for admins). Pinning to that list seems quite excessive

[MattIPv4]

I also definitely prefer that option if we can, just have the allowlist have the list of actions we use but leave the pinning to the workflow files themselves. That still ensures that no new actions are introduced directly or transiently, but means that PR reviews are the only review needed to update a version of an already used action.

[bmuenzenmeyer]

sorry for the direct ping, but i'd love @RafaelGSS to weigh in - or all of @nodejs/security

not up for debate is whether we should pin the shas in workflows, but if we should allow list in the settings - which is "safer" but can lead to failed workflows

slack message

[avivkeller]

FWIW “Verified creators” isn’t really secure, as an attacker can compromise a verified account, like with tj-actions in March.

[ovflowd]

IMO:

• Verified Creators should be unchecked as we have no idea who's what and which actions fit that
• I'm fine with only listing the actual action names and leaving hashes to files
  • But that will require us to be extra careful to not merge anything that might change said hashes accidentally.
  • Or at the very least PR required to have approval by an web-admin codeowners.

[MattIPv4]

• Verified Creators should be unchecked as we have no idea who's what and which actions fit

Agree.

• I'm fine with only listing the actual action names and leaving hashes to files

  • But that will require us to be extra careful to not merge anything that might change said hashes accidentally.
  • Or at the very least PR required to have approval by an web-admin codeowners.

My intent here is to enable web-infra to approve + merge workflow changes from Dependabot etc. without needing web-admin to be involved, hence wanting to remove the SHAs from the repo settings, so that when we approve/merge a SHA change from Dependabot etc. we don't break the workflow until web-admin is around. Requiring that web-admin still approve these would defeat the point of this change, and we might as well just switch these workflows to being owned by web-admin as I'd originally suggested, or are we happy trusting web-infra to continue owning these and verifying any SHA changes?

[avivkeller]

IMO if we remove the allow list, but enable the new https://github.blog/changelog/2025-08-15-github-actions-policy-now-supports-blocking-and-sha-pinning-actions/ feature, we get a similar same level of security, since any SHA changes still undergo manual review

[MattIPv4]

Would love to enable that feature, curious to see if we have anything transitive that's not pinned as that setting is fully recursive I believe.

[ovflowd]

I'm +1 with the latest stance of this. We just need to get web-admins to apply these changes across the border.