From a1e0c566d58e7b58b939693f574c5a5c7691bfcb Mon Sep 17 00:00:00 2001
From: Will Sarg <12886992+willsarg@users.noreply.github.com>
Date: Mon, 16 Feb 2026 16:23:47 -0500
Subject: [PATCH] docs(actions-source-policy): update allowlist for Blacksmith
 self-hosted runner infrastructure

---
 docs/actions-source-policy.md | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/docs/actions-source-policy.md b/docs/actions-source-policy.md
index d092bd8..21eb6e2 100644
--- a/docs/actions-source-policy.md
+++ b/docs/actions-source-policy.md
@@ -22,6 +22,7 @@ Selected allowlist patterns:
 - `rhysd/actionlint@*`
 - `softprops/action-gh-release@*`
 - `sigstore/cosign-installer@*`
+- `useblacksmith/*` (Blacksmith self-hosted runner infrastructure)
 
 ## Change Control Export
 
@@ -71,10 +72,13 @@ Failure mode to watch for:
 
 If encountered, add only the specific trusted missing action, rerun, and document why.
 
-Latest sweep note (2026-02-16):
+Latest sweep notes:
 
-- Hidden dependency discovered in `release.yml`: `sigstore/cosign-installer@...`
-- Added allowlist pattern: `sigstore/cosign-installer@*`
+- 2026-02-16: Hidden dependency discovered in `release.yml`: `sigstore/cosign-installer@...`
+    - Added allowlist pattern: `sigstore/cosign-installer@*`
+- 2026-02-16: Blacksmith migration blocked workflow execution
+    - Added allowlist pattern: `useblacksmith/*` for self-hosted runner infrastructure
+    - Actions: `useblacksmith/setup-docker-builder@v1`, `useblacksmith/build-push-action@v2`
 
 ## Rollback