jenstroeger · behnazh · Feb 25, 2026
@@ -0,0 +1,36 @@
+# Run Macaron's policies and generate Verification Summary Attestation reports.
+# See https://github.com/oracle/macaron
+
+name: Run Macaron to check supply chain security issues
+on:
+  push:
+    branches:
+    - main
+    paths:
+    - .github/workflows/**
+  pull_request:
+    paths:
+    - .github/workflows/**
+
+permissions:
+  contents: read
+
+jobs:
+  run_macaron:
+    runs-on: ubuntu-latest
+
+    steps:
+
+    - name: Check out repository
+      uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+      with:
+        fetch-depth: 0
+
+    # Check the GitHub Actions workflows in the repository for vulnerabilities.
+    - name: Run Macaron action
+      uses: oracle/macaron@b31acfe389133a5587d9639063ec70cb84e7bc47 # v0.23.0
+      with:
+        repo_path: ./
+        policy_file: check-github-actions
+        policy_purl: pkg:github.com/jenstroeger/python-package-template@.*
+        reports_retention_days: 90
@@ -60,6 +60,8 @@ Automatic package versioning and tagging, publishing to [PyPI](https://pypi.org/
 
 [OSSF Security Scorecards](https://github.com/ossf/scorecard) is enabled as a GitHub Actions workflow to give the consumers information about the supply-chain security posture of this project, assigning a score of 0–10. We upload the results as a SARIF (Static Analysis Results Interchange Format) artifact after each run and the results can be found at the Security tab of this GitHub project. We also allow publishing the data at [OpenSSF](https://metrics.openssf.org/). We use this data to continuously improve the security posture of this project. Note that this configuration supports the ``main`` (default) branch and requires the repository to be public and not forked.
 
+[Macaron](https://oracle.github.io/macaron/pages/macaron_action.html) is enabled as a GitHub Actions workflow for supply chain security detection. It runs the `check-github-actions` policy to analyze GitHub workflows for insecure patterns and potential risks. When issues are detected, detailed findings and remediation suggestions are included in the workflow summary. Full reports are also uploaded as workflow artifacts for further review.
+
 [pip-audit](https://github.com/pypa/pip-audit) is part of the default Python virtual environment, and can be used to check all installed packages for documented [CVE](https://www.cve.org/) by querying the [Python Packaging Advisory Database](https://github.com/pypa/advisory-database). The `_build.yaml` workflow always runs a package audit before the artifacts are being built. In automated production environments it _may_, on rare occasions, be necessary to suspend package auditing in which case  you can [add a repository variable](https://docs.github.com/en/actions/learn-github-actions/variables#creating-configuration-variables-for-a-repository) `DISABLE_PIP_AUDIT` with value `true` to your repository to explicitly disable running pip-audit.
 
 ### Package or application?