Option to run safe-settings as for example GitHub Action (no deployed service required)

[Elyytscha]

Description

Problem
Currently, using safe-settings requires running a deployed service/component. This adds operational overhead (hosting, maintenance, security considerations) and makes adoption harder—especially for teams that prefer fully GitHub-native workflows.

For users coming from Terraform or other declarative tools, this feels like a significant drawback, since it introduces an always-on component instead of a pull-based or event-driven model.

Proposal
Explore supporting an alternative architecture where safe-settings can run entirely within a GitHub Action, without requiring a separately deployed service.

For example:

• A GitHub Action triggered on events (e.g. push, pull_request, schedule)
• The action evaluates and applies repository/org settings
• Similar in spirit to tools like release-please, which operate fully within GitHub Actions

Expected Benefits:

• No infrastructure to deploy or maintain
• Easier onboarding and adoption
• Better alignment with GitHub-native workflows
• Improved security posture (no long-running service with credentials)

Questions / Considerations

• What are the current architectural constraints that require a deployed service?
• Are there features (e.g. webhooks, real-time enforcement) that would be difficult to support in a GitHub Action model?
• Could a hybrid approach work (optional service vs action-only mode)?

Alternative (if full support isn’t feasible)
Even partial support (e.g. a CLI mode designed specifically for GitHub Actions) would significantly reduce friction.