From bd1f5bb119026b4e47f369f688171d21c185db92 Mon Sep 17 00:00:00 2001
From: "Piotr P. Karwasz" <pkarwasz-github@apache.org>
Date: Wed, 21 Jan 2026 10:49:29 +0100
Subject: [PATCH] Allow `slsa-framework/source-actions`
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The `slsa-framework/source-actions` repository provides experimental GitHub Actions for generating provenance attestations for [SLSA Source L2](https://slsa.dev/spec/v1.2/source-requirements#source-l2).

I have successfully tested these actions in non-ASF repositories. To my knowledge, their use within ASF repositories currently depends on the implementation of rulesets in the `.asf.yaml` file (see apache/infrastructure-asfyaml#49). However, I don’t see any downside to adding this repository to the allow list ahead of that work.

The actions are maintained by a reputable and trustworthy organization.
---
 actions.yml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/actions.yml b/actions.yml
index 8cd7e7e7..d5fdd97d 100644
--- a/actions.yml
+++ b/actions.yml
@@ -675,6 +675,10 @@ sigstore/cosign-installer:
   faadad0cce49287aee09b3a48701e75088a2c6ad:
     expires_at: 2026-12-31
     tag: v4.0.0
+slsa-framework/source-actions:
+  dea965cdca5e0cb422bf7b2653c9d15f678ad01c:
+    expires_at: 2026-12-31
+    tag: v0.1.0
 snok/install-poetry:
   76e04a911780d5b312d89783f7b1cd627778900a:
     tag: v1