No. It is a standard JavaScript GitHub Action.
The action generates a temporary advisory-only config under RUNNER_TEMP, logs the generated path, and keeps the job non-blocking.
Only when active policies require repository facts such as exists or file_contains. File contents are read only for targeted globs.
Yes. Set fail-on-warn: true.