Skip to content

Fix Release workflow: remove disallowed SBOM/Cosign actions#333

Merged
AndreyVMarkelov merged 1 commit into
masterfrom
fix/release-drop-unallowed-actions
Jul 6, 2026
Merged

Fix Release workflow: remove disallowed SBOM/Cosign actions#333
AndreyVMarkelov merged 1 commit into
masterfrom
fix/release-drop-unallowed-actions

Conversation

@AndreyVMarkelov

@AndreyVMarkelov AndreyVMarkelov commented Jul 6, 2026

Copy link
Copy Markdown
Contributor

Problem

After dropping the SLSA reusable workflow (#332), the v3.6.1 tag still hit startup_failure. Annotation:

The actions anchore/sbom-action@v0 and sigstore/cosign-installer@v4.1.0 are not allowed in dropbox/dbxcli because all actions must be from a repository owned by your enterprise, created by GitHub, or match one of the allowed patterns.

The org's allowed-actions policy is enforced at workflow load time, so these two step-level actions (both new since v3.6.0) failed the whole Release workflow before any job ran.

Fix

Remove the SBOM generation (anchore/sbom-action) and Cosign signing (sigstore/cosign-installer) steps, plus the now-unneeded id-token: write permission and the sbom/sigstore release assets.

Remaining actions are all policy-approved:

  • actions/checkout, actions/setup-go — GitHub-created
  • golangci/golangci-lint-action@* — on the allowlist
  • softprops/action-gh-release@v3 — used successfully in the v3.6.0 release

This matches the job shape that released v3.6.0. CHANGELOG updated to drop the SBOM/Cosign line.

Follow-up (optional)

To restore SBOM/Cosign/SLSA later, an org/enterprise admin would need to add anchore/sbom-action, sigstore/cosign-installer, and slsa-framework/slsa-github-generator to the org's allowed actions/reusable-workflows list.

anchore/sbom-action and sigstore/cosign-installer are not on the
org's allowed-actions list, causing the Release workflow to fail at
startup (startup_failure) and blocking tag releases.

Strip SBOM generation and Cosign signing so the workflow uses only
policy-approved actions (checkout, setup-go, golangci-lint-action,
action-gh-release), matching the job shape that released v3.6.0.
Drop the SBOM/Cosign line from the changelog.
@AndreyVMarkelov AndreyVMarkelov merged commit edc77eb into master Jul 6, 2026
13 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant