From bfa13888da58d8ebbd34ddec0e16ec3d0a239def Mon Sep 17 00:00:00 2001
From: Claude <noreply@anthropic.com>
Date: Sat, 16 May 2026 22:51:22 +0000
Subject: [PATCH 1/2] Allow release-assets.githubusercontent.com in
 source-provenance egress policy

The slsa_with_provenance action downloads the slsa-source-corroborator
binary from GitHub releases, which redirects through
release-assets.githubusercontent.com. This endpoint was missing from
the harden-runner allowed list for the attest-source-governance job,
causing the egress block and failing the main build.

https://claude.ai/code/session_01FzXNiF3f5iEnRPX3SWfd2A
---
 .github/workflows/source-provenance.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/workflows/source-provenance.yml b/.github/workflows/source-provenance.yml
index f51c1d29..89f1c363 100644
--- a/.github/workflows/source-provenance.yml
+++ b/.github/workflows/source-provenance.yml
@@ -27,6 +27,7 @@ jobs:
           allowed-endpoints: >+
             github.com:443
             api.github.com:443
+            release-assets.githubusercontent.com:443
             uploads.github.com:443
             fulcio.sigstore.dev:443
             rekor.sigstore.dev:443

From 23f8ebce1577cafa22c64740dff78a6248ffb2fa Mon Sep 17 00:00:00 2001
From: Claude <noreply@anthropic.com>
Date: Sat, 16 May 2026 23:00:54 +0000
Subject: [PATCH 2/2] Add timestamp.githubapp.com to harden-runner
 allowed-endpoints

actions/attest and actions/attest-build-provenance call
timestamp.githubapp.com when signing DSSE attestation wrappers.
This endpoint was absent from source-provenance.yml, build.yml,
and test.yml, causing the egress block to refuse the connection.

https://claude.ai/code/session_01FzXNiF3f5iEnRPX3SWfd2A
---
 .github/workflows/build.yml             | 3 +++
 .github/workflows/source-provenance.yml | 2 ++
 .github/workflows/test.yml              | 1 +
 3 files changed, 6 insertions(+)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 19ad11d9..23a84cce 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -33,6 +33,7 @@ jobs:
             api.github.com:443
             release-assets.githubusercontent.com:443
             uploads.github.com:443
+            timestamp.githubapp.com:443
             pypi.org:443
             files.pythonhosted.org:443
             packages.microsoft.com:443
@@ -341,6 +342,8 @@ jobs:
           github.com:443
           api.github.com:443
           release-assets.githubusercontent.com:443
+          uploads.github.com:443
+          timestamp.githubapp.com:443
           pypi.org:443
           files.pythonhosted.org:443
           fulcio.sigstore.dev:443
diff --git a/.github/workflows/source-provenance.yml b/.github/workflows/source-provenance.yml
index 89f1c363..09ebab93 100644
--- a/.github/workflows/source-provenance.yml
+++ b/.github/workflows/source-provenance.yml
@@ -29,6 +29,7 @@ jobs:
             api.github.com:443
             release-assets.githubusercontent.com:443
             uploads.github.com:443
+            timestamp.githubapp.com:443
             fulcio.sigstore.dev:443
             rekor.sigstore.dev:443
             tuf-repo-cdn.sigstore.dev:443
@@ -61,6 +62,7 @@ jobs:
             github.com:443
             api.github.com:443
             uploads.github.com:443
+            timestamp.githubapp.com:443
             fulcio.sigstore.dev:443
             rekor.sigstore.dev:443
             tuf-repo-cdn.sigstore.dev:443
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index a598ccf7..dd8b237e 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -54,6 +54,7 @@ jobs:
             svn.code.sf.net:443
             api.github.com:443
             uploads.github.com:443
+            timestamp.githubapp.com:443
             fulcio.sigstore.dev:443
             rekor.sigstore.dev:443
             tuf-repo-cdn.sigstore.dev:443