No. It is a standard JavaScript GitHub Action.

The action generates a temporary advisory-only config under RUNNER_TEMP, logs the generated path, and keeps the job non-blocking.

Only when active policies require repository facts such as exists or file_contains. File contents are read only for targeted globs.

Yes. Set fail-on-warn: true.