From 8310c47dfeb03d0d0f57bc2edc36900e454a0746 Mon Sep 17 00:00:00 2001 From: Anshi Singh Date: Fri, 17 Apr 2026 16:06:46 -0700 Subject: [PATCH 1/5] Add macaron-check-github-actions.yml --- .../macaron-check-github-actions.yml | 42 +++++++++++++++++++ 1 file changed, 42 insertions(+) create mode 100644 .github/workflows/macaron-check-github-actions.yml diff --git a/.github/workflows/macaron-check-github-actions.yml b/.github/workflows/macaron-check-github-actions.yml new file mode 100644 index 00000000000..50c4ceaa84f --- /dev/null +++ b/.github/workflows/macaron-check-github-actions.yml @@ -0,0 +1,42 @@ +# Copyright (c) 2026 - 2026, Oracle and/or its affiliates. All rights reserved. +# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/. + +# Run Macaron's policies and generate Verification Summary Attestation reports. +# See https://github.com/oracle/macaron + +name: Run Macaron to Check Supply Chain Security Issues +on: + pull_request: + paths: + - ".github/workflows/**" + - ".github/actions/**" + push: + branches: + - master + paths: + - ".github/workflows/**" + - ".github/actions/**" + workflow_dispatch: + schedule: + - cron: "0 4 * * 3" + +permissions: + contents: read + +jobs: + macaron-check-github-actions: + name: Macaron Policy Verification + runs-on: ubuntu-latest + steps: + - name: Checkout Repository + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + with: + persist-credentials: false + + - name: Run Macaron Security Analysis Action + uses: oracle/macaron@b31acfe389133a5587d9639063ec70cb84e7bc47 # v0.23.0 + with: + repo_path: ./ + policy_file: check-github-actions + policy_purl: pkg:github.com/oracle/oci-java-sdk@.* + reports_retention_days: 90 \ No newline at end of file From c2b6206ebcaf0099d2c986a25638887cb74b5572 Mon Sep 17 00:00:00 2001 From: Anshi Singh Date: Fri, 17 Apr 2026 16:43:33 -0700 Subject: [PATCH 2/5] Added explicit workflow permissions to releasepublished.yml --- .github/workflows/releasepublished.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/releasepublished.yml b/.github/workflows/releasepublished.yml index e5320988707..833b168c781 100644 --- a/.github/workflows/releasepublished.yml +++ b/.github/workflows/releasepublished.yml @@ -16,6 +16,9 @@ on: required: true default: latest +permissions: + contents: read + # A workflow run is made up of one or more jobs that can run sequentially or in parallel jobs: # This workflow contains a single job called "build" From 8f1e142749406e19199b37cf009ca41f79464c70 Mon Sep 17 00:00:00 2001 From: Anshi Singh Date: Fri, 17 Apr 2026 16:49:44 -0700 Subject: [PATCH 3/5] Remove name --- .github/workflows/macaron-check-github-actions.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/macaron-check-github-actions.yml b/.github/workflows/macaron-check-github-actions.yml index 50c4ceaa84f..11c7756713e 100644 --- a/.github/workflows/macaron-check-github-actions.yml +++ b/.github/workflows/macaron-check-github-actions.yml @@ -25,7 +25,6 @@ permissions: jobs: macaron-check-github-actions: - name: Macaron Policy Verification runs-on: ubuntu-latest steps: - name: Checkout Repository From 123e9c543abc2f343f41e1314509d52d6a8d96e5 Mon Sep 17 00:00:00 2001 From: Anshi Singh Date: Fri, 17 Apr 2026 17:14:26 -0700 Subject: [PATCH 4/5] Add name --- .github/workflows/macaron-check-github-actions.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/macaron-check-github-actions.yml b/.github/workflows/macaron-check-github-actions.yml index 11c7756713e..50c4ceaa84f 100644 --- a/.github/workflows/macaron-check-github-actions.yml +++ b/.github/workflows/macaron-check-github-actions.yml @@ -25,6 +25,7 @@ permissions: jobs: macaron-check-github-actions: + name: Macaron Policy Verification runs-on: ubuntu-latest steps: - name: Checkout Repository From fd5240f946f5c95d565214f4a62f7fd9a2451d6c Mon Sep 17 00:00:00 2001 From: Anshi Singh Date: Thu, 23 Apr 2026 15:16:36 -0700 Subject: [PATCH 5/5] Remove schedule --- .github/workflows/macaron-check-github-actions.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/.github/workflows/macaron-check-github-actions.yml b/.github/workflows/macaron-check-github-actions.yml index 50c4ceaa84f..203c254b266 100644 --- a/.github/workflows/macaron-check-github-actions.yml +++ b/.github/workflows/macaron-check-github-actions.yml @@ -17,8 +17,6 @@ on: - ".github/workflows/**" - ".github/actions/**" workflow_dispatch: - schedule: - - cron: "0 4 * * 3" permissions: contents: read