Separation of shared action configuration / meta from the actions itself

[saisatishkarra]

Current state:
The configuration / state of shared actions is part of the shared actions. This causes a problem to frequently release the shared-actions and requires downstream workflows to be updated each time.

Usecase:

• Updating existing value of input parameters requires releasing of action and bumping it in downstream
• Security management ops like toggling global / repo specific security controls from a central place without needing to modify / bump versions in downstream
• Skipping any controls to bypass and use break glass strategy without needing to release

Instances:

• SCA control failures due to upstream dependency (Grype) CDN issue
• Docker CIS control failure due to GHCR (TooManyRequests) issue

Target State:

• The goal is to NOT frequently update and release shared actions when modifying configuration.
• Central config management of sec controls across different scopes (global org wide , repository specific) toggles
• Inject configuration of security controls in downstream pipelines dynamically for each scan

Ideas:

• Feature flags
• Shared action Configuration release / rollout strategy plan