Lock down the .github directory with an owner file to avoid malicious code to be automatically executed in CI

[arrayka]

Lock down the .github directory with an owner file, requiring manual approval for CI runs for PRs that modify any file in that directory.

Originally posted by @hildebrandmw in #692 (comment)

[arrayka]

@hildebrandmw, technically, malicious code can be injected into the CI pipeline from any file in the repo, not just the .yml files under .github/.
The real question is whether restricting required approvers for the .github folder meaningfully reduces the attack surface.

Thoughts?