From bfa13888da58d8ebbd34ddec0e16ec3d0a239def Mon Sep 17 00:00:00 2001
From: Claude <noreply@anthropic.com>
Date: Sat, 16 May 2026 22:51:22 +0000
Subject: [PATCH] Allow release-assets.githubusercontent.com in
 source-provenance egress policy

The slsa_with_provenance action downloads the slsa-source-corroborator
binary from GitHub releases, which redirects through
release-assets.githubusercontent.com. This endpoint was missing from
the harden-runner allowed list for the attest-source-governance job,
causing the egress block and failing the main build.

https://claude.ai/code/session_01FzXNiF3f5iEnRPX3SWfd2A
---
 .github/workflows/source-provenance.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/workflows/source-provenance.yml b/.github/workflows/source-provenance.yml
index f51c1d29..89f1c363 100644
--- a/.github/workflows/source-provenance.yml
+++ b/.github/workflows/source-provenance.yml
@@ -27,6 +27,7 @@ jobs:
           allowed-endpoints: >+
             github.com:443
             api.github.com:443
+            release-assets.githubusercontent.com:443
             uploads.github.com:443
             fulcio.sigstore.dev:443
             rekor.sigstore.dev:443