From 24bf116216b539e1aa7fdc6f44d71db35d3bd79c Mon Sep 17 00:00:00 2001
From: Will Sarg <12886992+willsarg@users.noreply.github.com>
Date: Mon, 16 Feb 2026 12:32:05 -0500
Subject: [PATCH] docs(ci): add allowlist export controls and sweep finding
 (#408)

---
 docs/actions-source-policy.md | 23 +++++++++++++++++++++++
 1 file changed, 23 insertions(+)

diff --git a/docs/actions-source-policy.md b/docs/actions-source-policy.md
index baad677..d092bd8 100644
--- a/docs/actions-source-policy.md
+++ b/docs/actions-source-policy.md
@@ -21,6 +21,24 @@ Selected allowlist patterns:
 - `EmbarkStudios/cargo-deny-action@*`
 - `rhysd/actionlint@*`
 - `softprops/action-gh-release@*`
+- `sigstore/cosign-installer@*`
+
+## Change Control Export
+
+Use these commands to export the current effective policy for audit/change control:
+
+```bash
+gh api repos/zeroclaw-labs/zeroclaw/actions/permissions
+gh api repos/zeroclaw-labs/zeroclaw/actions/permissions/selected-actions
+```
+
+Record each policy change with:
+
+- change date/time (UTC)
+- actor
+- reason
+- allowlist delta (added/removed patterns)
+- rollback note
 
 ## Why This Phase
 
@@ -53,6 +71,11 @@ Failure mode to watch for:
 
 If encountered, add only the specific trusted missing action, rerun, and document why.
 
+Latest sweep note (2026-02-16):
+
+- Hidden dependency discovered in `release.yml`: `sigstore/cosign-installer@...`
+- Added allowlist pattern: `sigstore/cosign-installer@*`
+
 ## Rollback
 
 Emergency unblock path: