Skip to content

feat: add github actions for macaron #1241

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
behnazh-w merged 15 commits into from
Dec 3, 2025
Merged

feat: add github actions for macaron #1241

behnazh-w merged 15 commits into from
Dec 3, 2025

Conversation

@Demolus13
Copy link
Member

@Demolus13 Demolus13 commented Nov 21, 2025
edited
Loading

Summary

Adds an official GitHub Action (action.yaml) to run Macaron inside GitHub workflows, a test workflow (.github/workflows/test_macaron_action.yaml) that test the Action across multiple tutorial scenarios, and a set of tutorial datalog policies under tests/tutorials/ used by the workflow.

Description of changes

  • action.yaml

    • Adds a composite GitHub Action named "Macaron Security Analysis" that wraps the macaron CLI for use in workflows.
    • Inputs: sbom_path, python_venv, package_url, repo_path, policy_file, policy_purl, defaults_path, digest, provenance_file, provenance_expectation, branch, deps_depth, github_token, output_dir, upload_attestation, subject_path.
    • Run Macaron Analysis - constructs and runs macaron analyze with the provided inputs. Writes a report path to outputs on success.
    • Run Macaron Policy Verification - runs macaron verify-policy with a local policy file or a predefined policy (via --existing-policy), writes policy_report and vsa_report outputs, and conditionally uploads attestations via actions/attest.
    • Outputs: policy_report and vsa_report for downstream workflow steps.

  • .github/workflows/test_macaron_action.yaml

    • Adds tutorial test cases in github workflow to test macaron action - Macaron Tutorials

Related issues

N/A

Checklist

  • I have reviewed the contribution guide.
  • My PR title and commits follow the Conventional Commits convention.
  • My commits include the "Signed-off-by" line.
  • I have signed my commits following the instructions provided by GitHub. Note that we run GitHub's commit verification tool to check the commit signatures. A green verified label should appear next to all of your commits on GitHub.
  • I have updated the relevant documentation, if applicable.
  • I have tested my changes and verified they work as expected.

@Demolus13 Demolus13 self-assigned this Nov 21, 2025
@oracle-contributor-agreement oracle-contributor-agreement bot added the OCA Verified All contributors have signed the Oracle Contributor Agreement. label Nov 21, 2025
@behnazh-w behnazh-w changed the title refactor: add github action to macaron. feat: add github actions for macaron. Nov 27, 2025
@behnazh-w behnazh-w changed the title feat: add github actions for macaron. feat: add github actions for macaron Nov 27, 2025
@Demolus13 Demolus13 force-pushed the pgovale/github-action branch 2 times, most recently from 39ba4f5 to 5f341ab Compare November 28, 2025 06:30
behnazh-w
behnazh-w reviewed Nov 30, 2025
View reviewed changes
behnazh-w
behnazh-w reviewed Nov 30, 2025
View reviewed changes
behnazh-w
behnazh-w reviewed Nov 30, 2025
View reviewed changes
behnazh-w
behnazh-w reviewed Nov 30, 2025
View reviewed changes
Copy link
Member

@behnazh-w behnazh-w left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How about renaming tests/tutorials to tests/tutorial_resources because we also have integration tests for each tutorial tagged with tutorial. We could add a README.md to tests/tutorial_resources to explain this.

@behnazh-w behnazh-w marked this pull request as ready for review December 2, 2025 06:43
@Demolus13
refactor: add github action to macaron.
623474b 
Signed-off-by: Demolus13 <parth.govale@oracle.com>
@Demolus13
refactor: improve github action usage through --existing-policy.
f3e6bd4 
Signed-off-by: Demolus13 <parth.govale@oracle.com>
@Demolus13
refactor: add input from subject-path in attestation.
2c1eb19 
Signed-off-by: Demolus13 <parth.govale@oracle.com>
@Demolus13
refactor: add python_venv to inputs in action.yaml and build macaron …
ca66b27 
…from source.

Signed-off-by: Demolus13 <parth.govale@oracle.com>
@Demolus13
chore: add test workflow for github action and test resources.
010f7c7 
Signed-off-by: Demolus13 <parth.govale@oracle.com>
@Demolus13
chore: set go setup cache to false.
51382d1 
Signed-off-by: Demolus13 <parth.govale@oracle.com>
@Demolus13
chore: set the correct default path for exclude checks job in publish…
90778ff 
…_github_actions.yaml

Signed-off-by: Demolus13 <parth.govale@oracle.com>
@Demolus13
chore: set Hash for setup actions.
9ce869f 
Signed-off-by: Demolus13 <parth.govale@oracle.com>
@Demolus13
chore: correct spelling of provenance
43181ab 
Signed-off-by: Demolus13 <parth.govale@oracle.com>
@Demolus13
chore: change to appropriate filename
2a0f8fd 
Signed-off-by: Demolus13 <parth.govale@oracle.com>
@Demolus13
chore: create shell scripts for action.yaml
ddd58b7 
Signed-off-by: Demolus13 <parth.govale@oracle.com>
@Demolus13
chore: change directory name from tutorials to tutorial_resources
ff82091 
Signed-off-by: Demolus13 <parth.govale@oracle.com>
@Demolus13 Demolus13 force-pushed the pgovale/github-action branch from 305da1e to ff82091 Compare December 2, 2025 08:26
behnazh-w
behnazh-w reviewed Dec 2, 2025
View reviewed changes
@Demolus13
test: add new tutorial to test_macaron_action workflow
d557ff6 
Signed-off-by: Demolus13 <parth.govale@oracle.com>
@Demolus13
chore: remove verify-provenance from docs
b2d0eb1 
Signed-off-by: Demolus13 <parth.govale@oracle.com>
@Demolus13
chore: show the default options in subject_path
6ab9456 
Signed-off-by: Demolus13 <parth.govale@oracle.com>
@behnazh-w behnazh-w merged commit c423ed4 into main Dec 3, 2025
21 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@behnazh-w behnazh-w behnazh-w approved these changes

Assignees

@Demolus13 Demolus13

Labels

OCA Verified All contributors have signed the Oracle Contributor Agreement.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Demolus13 @behnazh-w