Fix Release workflow: drop disallowed SLSA provenance job#332
Merged
Conversation
The slsa-github-generator reusable workflow is not on the org's allowed reusable-workflows list, which fails the entire Release workflow at startup (startup_failure) and blocks tag releases. Drop the provenance job and its subject-generation steps; keep SBOM generation and Cosign signing. Update the changelog to match.
This was referenced Jul 6, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
Pushing the
v3.6.1tag produced astartup_failure— the Release workflow never ran. Annotation:GitHub validates reusable-workflow references at load time, so the disallowed
provenancejob failed the entire workflow before any job started. No v3.6.1 release or artifacts were produced.This was the first tag to exercise the new supply-chain release.yml (SLSA/SBOM/Cosign added after v3.6.0), so it was never validated against org policy.
Fix
provenancejob and its orphaned SLSA subject-generation steps +slsa_subjects_fileoutput.anchore/sbom-action) and Cosign signing (sigstore/cosign-installer), which are step-level actions, not reusable workflows.Follow-up (optional)
To restore SLSA provenance later, an org/enterprise admin would need to add
slsa-framework/slsa-github-generatorto the allowed reusable-workflows list.Release steps after merge
Re-point the existing
v3.6.1tag to the merge commit and force-push it to re-trigger the Release workflow.