New audit: archived action usage

[woodruffw]

This would be similar to our other uses: clause checks, except that it would check if a uses: clause references an archived repository.

For example, if foo/bar was archived on GitHub, the following would be flagged:

- uses: foo/bar@blah

# these too
- uses: foo/bar/some/action@blah
- uses: foo/bar/.github/workflows/something-reusable.yml@blah

Naming this archived-uses or similar probably makes sense.

h/t @lopopolo for this idea 🙂

[woodruffw]

This seems easily discoverable via the API:

% gh api /repos/zizmorcore/zizmor | jq '.archived'
false

[woodruffw]

Another related audit here would be for renamed/redirected repos, e.g.:

gh api /repos/woodruffw/zizmor | jq '.full_name'
"zizmorcore/zizmor"

The full_name divergence here tells us that GitHub is performing a redirect, which zizmor should flag as a potential risk (since the redirect could always be replaced with a new repo).

Maybe this would be renamed-uses or redirected-uses.

[woodruffw]

Thinking about this a bit more: I think the 90% case here would be statically tracking "well-known" archived actions, since these will account for the overwhelming majority of hits. This would also address my main hesitancy to add this, which is that we'd be adding a lot of API volume for a single repository state.

Specifically, there's a bunch of big offenders:

• Everything under actions-rs/*
• actions/upload-release-asset
• actions/create-release
• actions/setup-ruby