Skip to content

Allow slsa-framework/source-actions #454

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
ppkarwasz wants to merge 1 commit into
base: main
Choose a base branch
from
Draft

Allow slsa-framework/source-actions #454

ppkarwasz wants to merge 1 commit into from

Conversation

@ppkarwasz
Copy link

@ppkarwasz ppkarwasz commented Jan 21, 2026

Overview

The slsa-framework/source-actions repository provides experimental GitHub Actions for generating provenance attestations for SLSA Source L2.

I have successfully tested these actions in non-ASF repositories. To my knowledge, their use within ASF repositories currently depends on the implementation of rulesets in the .asf.yaml file (see apache/infrastructure-asfyaml#49). However, I don’t see any downside to adding this repository to the allow list ahead of that work.

Name of action: slsa-framework/source-actions

URL of action: https://github.com/slsa-framework/source-actions

Version to pin to (hash only): dea965cdca5e0cb422bf7b2653c9d15f678ad01c (v0.1.0)

Permissions

The action is implemented using the Go source-tool utility. The list of permissions is not explicitly documented, but looking at the source code it requires:

Checklist

You should be able to check most of these boxes for an action to be considered for review.
Please check all boxes that currently apply:

  • The action is listed in the GitHub Actions Marketplace
  • The action is not already on the list of approved actions
  • The action has a sufficient number of contributors or has contributors within the ASF community
  • The action has a clearly defined license
  • The action is actively developed or maintained
  • The action has CI/unit tests configured

@ppkarwasz
Allow slsa-framework/source-actions
bd1f5bb 
The `slsa-framework/source-actions` repository provides experimental GitHub Actions for generating provenance attestations for [SLSA Source L2](https://slsa.dev/spec/v1.2/source-requirements#source-l2).

I have successfully tested these actions in non-ASF repositories. To my knowledge, their use within ASF repositories currently depends on the implementation of rulesets in the `.asf.yaml` file (see apache/infrastructure-asfyaml#49). However, I don’t see any downside to adding this repository to the allow list ahead of that work.

The actions are maintained by a reputable and trustworthy organization.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@ppkarwasz