For GitHub projects that enforce an allow-list for third-party GitHub Actions, like Macaron, it would be necessary to avoid calling the third-party GitHub Actions in the provenance generator and instead use CLI tools. These are the three GitHub Actions used by the generator and reported in this run, each of which might also be calling other GitHub Actions:
google-github-actions/auth
sigstore/cosign-installer
softprops/action-gh-release
For example the action-gh-release Action can easily be replaced by gh , which is available by default on the Ubuntu runners.
Note that GitHub enforces the allow-list statically. So, even if a GitHub Action is called conditionally, it will result in a startup failure.
For GitHub projects that enforce an allow-list for third-party GitHub Actions, like Macaron, it would be necessary to avoid calling the third-party GitHub Actions in the provenance generator and instead use CLI tools. These are the three GitHub Actions used by the generator and reported in this run, each of which might also be calling other GitHub Actions:
google-github-actions/authsigstore/cosign-installersoftprops/action-gh-releaseFor example the
action-gh-releaseAction can easily be replaced bygh, which is available by default on the Ubuntu runners.Note that GitHub enforces the allow-list statically. So, even if a GitHub Action is called conditionally, it will result in a startup failure.