Improvement: support composite actions

[MPV]

Currently this action is hardcoded to only check workflow files:

github-actions-ensure-sha-pinned-actions/src/index.js

Lines 14 to 15 in f324355

	const workflowsPath = process.env['ZG_WORKFLOWS_PATH'] || '.github/workflows';
	const globber = await glob.create([workflowsPath + '/*.yaml', workflowsPath + '/*.yml'].join('\n'));

As "composite" actions can uses: other actions, it would be nice to be able to use this action on them too:

• https://docs.github.com/en/actions/creating-actions/creating-a-composite-action#creating-an-action-metadata-file

i.e. I'd like this to be caught by this action:

cat action.yml:

name: 'Hello World file creator action'
runs:
  using: "composite"
  steps:
    - uses: actions/checkout@v4 # <---
    - shell: bash
      run: echo "hello world" >> file.txt

[MPV]

While the path may be adjustable using ZG_WORKFLOWS_PATH, there's still a hardcoded *.ya?ml filename (which may include other files than my likely desired action.yml).

[MPV]

Can confirm it doesn't work (as it assumes "jobs" would be required):

Given you have a repo like this:

tree
.
└── my-action
    └── action.yml

2 directories, 1 file

Trying to run it like this:

- name: Ensure SHA pinned actions
  uses: zgosalvez/github-actions-ensure-sha-pinned-actions@f32435541e24cd6a4700a7f52bb2ec59e80603b1 # v2.1.4
  env:
    ZG_WORKFLOWS_PATH: '*'

...gives:

Run zgosalvez/github-actions-ensure-sha-pinned-actions@f32435541e24cd6a4700a7f52bb2ec59e80603b1
  env:
    ZG_WORKFLOWS_PATH: *
Error: The "action.yml" workflow does not contain jobs.
*/action.yml
  No issues were found.

[pfuhrmann]

We also wish this would work for composite actions. We have plenty of them and currently, with this action, they are not checked which largely defeats the purpose.