Allow release-assets.githubusercontent.com in source-provenance egress policy

[spoorcc]

The slsa_with_provenance action downloads the slsa-source-corroborator
binary from GitHub releases, which redirects through
release-assets.githubusercontent.com. This endpoint was missing from
the harden-runner allowed list for the attest-source-governance job,
causing the egress block and failing the main build.

https://claude.ai/code/session_01FzXNiF3f5iEnRPX3SWfd2A

Summary by CodeRabbit

• Chores
  • Updated CI/CD workflow network configuration to support release operations.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: bb0729dc-f048-4c08-8086-6c2679b458db

📥 Commits

Reviewing files that changed from the base of the PR and between d7c84de and bfa1388.

📒 Files selected for processing (1)

• .github/workflows/source-provenance.yml

---

Walkthrough

This PR adds one endpoint (release-assets.githubusercontent.com:443) to the allowed egress endpoints for the GitHub Actions runner hardening configuration in the attest-source-governance job, enabling the workflow to download release artifacts during execution.

Changes

Runner Hardening Configuration

Layer / File(s)	Summary
Runner endpoint allowlist configuration .github/workflows/source-provenance.yml	Added release-assets.githubusercontent.com:443 to the allowed-endpoints list in the Harden the runner step of the attest-source-governance job to permit egress for GitHub release asset downloads.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately and specifically describes the main change: allowing release-assets.githubusercontent.com in the source-provenance egress policy.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch claude/fix-main-build-cCB7E

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}