Update CODEOWNERS to require admin approval for workflow changes

[MattIPv4]

Pulling this out of Slack: https://openjs-foundation.slack.com/archives/CVAMEJ4UV/p1752615217869729

When a hash is changed for an action being used in a workflow, the allowlist in the repository settings must be updated by a repo admin to add the new hash.

As such, all workflow changes should require explicit approval from a repo admin before they land, to ensure that the repo admin is able to update the allowlist so that we don't land a disallowed hash into main.

Blocked by nodejs/admin#984 as this'll require the new @nodejs/web-admins team.

[bjohansebas]

I'd prefer to stop pinning to hashes in the allowed list of actions instead of continuing with this manual task (I know I'm not the one doing it, but it's still maintenance overhead for admins). Pinning to that list seems quite excessive

[MattIPv4]

I also definitely prefer that option if we can, just have the allowlist have the list of actions we use but leave the pinning to the workflow files themselves. That still ensures that no new actions are introduced directly or transiently, but means that PR reviews are the only review needed to update a version of an already used action.

[bmuenzenmeyer]

sorry for the direct ping, but i'd love @RafaelGSS to weigh in - or all of @nodejs/security

not up for debate is whether we should pin the shas in workflows, but if we should allow list in the settings - which is "safer" but can lead to failed workflows

slack message

[avivkeller]

FWIW “Verified creators” isn’t really secure, as an attacker can compromise a verified account, like with tj-actions in March.