Feature request: Add support to scan actions

[stefreak]

Currently support is missing to scan actions.

This can be helpful to detect and fix issues in local GitHub actions, or if I am using secure-workflows to fix issues in my github action repository.

Repository to reproduce this issue: https://github.com/stefreak/ossf-scorecard-repro-2189
Insecure actions in this repository: https://github.com/stefreak/ossf-scorecard-repro-2189/tree/main/.github/actions

Warnings in the secure-workflows UI about unsupported local actions:

KnownIssue-3: Action ./.github/actions/reproduce-composite is a local action. Local actions are not supported
KnownIssue-3: Action ./.github/actions/reproduce-docker-path is a local action. Local actions are not supported

[varunsh-coder]

Thanks @stefreak for creating the issue!

To give you some context, there are two scenarios where the API to fix token permissions is called:

1. A GitHub Actions workflow file content is provided as input. As an example, someone might paste the file in https://app.stepsecurity.io and click on Secure workflow button. In this case, we do not know the repository, so we cannot get to the local actions.
2. A GitHub Actions workflow path is provided as input. This happens when OpenSSF Scorecard points to app.stepsecurity.io (e.g. https://app.stepsecurity.io/secureworkflow/step-security/supply-chain-goat/ci.yml/main?enable=permissions) and the repository and workflow path is provided as input. In this case, we do know the repo details, so ideally we should be able to get the local actions.

So, we should be able to do this for the 2nd scenario, and I think it is a great idea, because we can then fix more workflows.