harald/zeroclaw
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 3

docs(ci): add allowlist export controls and sweep finding (#408)

Browse source
This commit is contained in:
Will Sarg 2026-02-16 12:32:05 -05:00 committed by GitHub
parent 0456f14a11
commit 24bf116216
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
1 changed files with 23 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

23
docs/actions-source-policy.md
View file

@ -21,6 +21,24 @@ Selected allowlist patterns:
- `EmbarkStudios/cargo-deny-action@*` - `EmbarkStudios/cargo-deny-action@*`
- `rhysd/actionlint@*` - `rhysd/actionlint@*`
- `softprops/action-gh-release@*` - `softprops/action-gh-release@*`
- `sigstore/cosign-installer@*`
## Change Control Export
Use these commands to export the current effective policy for audit/change control:
```bash
gh api repos/zeroclaw-labs/zeroclaw/actions/permissions
gh api repos/zeroclaw-labs/zeroclaw/actions/permissions/selected-actions
```
Record each policy change with:
- change date/time (UTC)
- actor
- reason
- allowlist delta (added/removed patterns)
- rollback note
## Why This Phase ## Why This Phase
@ -53,6 +71,11 @@ Failure mode to watch for:
If encountered, add only the specific trusted missing action, rerun, and document why. If encountered, add only the specific trusted missing action, rerun, and document why.
Latest sweep note (2026-02-16):
- Hidden dependency discovered in `release.yml`: `sigstore/cosign-installer@...`
- Added allowlist pattern: `sigstore/cosign-installer@*`
## Rollback ## Rollback
Emergency unblock path: Emergency unblock path: