Add workflow to scan actions

Author: billnapier

.github/workflows/action_scanning.yml

@@ -0,0 +1,43 @@
+name: Scan GitHub Action workflows files for security issues
+
+on:
+  pull_request: {}
+  workflow_dispatch: {}
+  push:
+     paths:
+      - '.github/workflows/**.ya?ml'
+
+permissions:
+  contents: read
+  security-events: write
+
+jobs:
+  semgrep:
+    name: semgrep-oss/scan
+    runs-on: ubuntu-latest
+
+    container:
+      image: semgrep/semgrep
+
+    # Skip any PR created by dependabot to avoid permission issues:
+    if: (github.actor != 'dependabot[bot]')
+
+    steps:
+      - name: Checkout Code
+        uses: actions/checkout@v4
+    
+    
+      - name: Run Actions semgrep scan
+        run: semgrep scan --sarif --config semgrep-rules/actions >> semgrep-results-actions.sarif
+    
+      - name: Save Actions SARIF results as artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: semgrep-scan-results-actions
+          path: semgrep-results-actions.sarif
+    
+      - name: Upload Actions SARIF result to the GitHub Security Dashboard
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: semgrep-results-actions.sarif
+        if: always()

semgrep-rules/actions/pull_request_target_needs_exception.yml

@@ -0,0 +1,15 @@
+rules:
+  - id: pull-request-target-needs-exception
+    languages:
+      - yaml
+    severity: WARNING
+    message: pull_request_target for Google repos is only approved by exception.
+    metadata:
+      category: best-practice
+      technology:
+        - github-actions      
+    patterns:
+      - pattern-either:
+          - patterns:
+              - pattern-inside: "{on: ...}"
+              - pattern: pull_request_target