oracle · behnazh-w · Mar 31, 2026 · Mar 9, 2026 · Mar 25, 2026 · Mar 27, 2026
@@ -57,13 +57,13 @@ jobs:
         fetch-depth: 0
 
     - name: Set up Python
-      uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5.4.0
+      uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
       with:
         python-version: ${{ matrix.python }}
 
     # Install Java.
     - name: Set up JDK
-      uses: actions/setup-java@b36c23c0d998641eff861008f374ee103c25ac73 # v4.4.0
+      uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0
       with:
         distribution: oracle
         java-version: '17'
@@ -129,7 +129,7 @@ jobs:
     # Currently reusable workflows do not support setting strategy property from the caller workflow.
     - name: Upload the package artifact for debugging and release
       if: matrix.os == env.ARTIFACT_OS && matrix.python == env.ARTIFACT_PYTHON
-      uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
+      uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
       with:
         name: artifact-${{ matrix.os }}-python-${{ matrix.python }}
         path: dist

@@ -1,4 +1,4 @@
-# Copyright (c) 2023 - 2025, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 2023 - 2026, Oracle and/or its affiliates. All rights reserved.
 # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
 
 # This is a reuseable workflow to build and test the Docker image. Note that this workflow does not
@@ -33,12 +33,12 @@ jobs:
 
     # The Docker integration tests require Python 3.11.
     - name: Set up Python
-      uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5.4.0
+      uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
       with:
         python-version: '3.11'
 
     - name: Download artifact
-      uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
+      uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
       with:
         name: ${{ inputs.artifact-name }}
         path: dist
@@ -63,6 +63,22 @@ jobs:
         IMAGE_NAME: ghcr.io/oracle/macaron
       run: make build-docker
 
+    # Export the built image so downstream jobs/workflows can load and reuse
+    # the exact same image without pushing to a registry.
+    - name: Export test Docker image
+      run: docker save ghcr.io/oracle/macaron:test --output /tmp/macaron-test-image.tar
+
+    # Upload the image tarball for the reusable action test workflow.
+    - name: Upload test Docker image artifact
+      uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+      with:
+        name: macaron-test-image
+        path: /tmp/macaron-test-image.tar
+        if-no-files-found: error
+        retention-days: 1
+
+    # Install helper tooling used by integration test utilities that validate
+    # the built Docker image behavior.
     - name: Install dependencies for integration test utility
       run: make setup-integration-test-utility-for-docker
 
@@ -74,3 +90,14 @@ jobs:
         DOCKER_PULL: never
         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
       run: make integration-test-docker
+
+  test-macaron-action:
+    # Reuse the action test workflow against the exact Docker image built above.
+    # The image is transferred via artifact to avoid pushing to a registry.
+    needs: [build-docker]
+    permissions:
+      contents: read
+    uses: ./.github/workflows/test_macaron_action.yaml
+    with:
+      docker_image_artifact_name: macaron-test-image
+      macaron_image_tag: test
@@ -35,7 +35,7 @@ jobs:
         fetch-depth: 0
 
     - name: Download artifact
-      uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
+      uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
       with:
         name: ${{ inputs.artifact-name }}
         path: dist

@@ -38,7 +38,7 @@ jobs:
       uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
 
     - name: Set up Python
-      uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5.4.0
+      uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
       with:
         python-version: '3.11'
 

@@ -0,0 +1,43 @@
+# Copyright (c) 2026 - 2026, Oracle and/or its affiliates. All rights reserved.
+# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
+
+# Run Macaron's policies and generate Verification Summary Attestation reports.
+# See https://github.com/oracle/macaron
+
+name: Run Macaron to check supply chain security issues
+on:
+  push:
+    branches:
+    - main
+    paths:
+    - .github/workflows/**
+  pull_request:
+    paths:
+    - .github/workflows/**
+  schedule:
+  - cron: 20 15 * * 3
+permissions:
+  contents: read
+
+jobs:
+  run_macaron:
+    runs-on: ubuntu-latest
+
+    steps:
+
+    - name: Check out repository
+      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      with:
+        fetch-depth: 0
+        persist-credentials: false
+
+    # Check the GitHub Actions workflows in the repository for vulnerabilities.
+    # Note: adjust the policy_purl to refer to your repository URL.
+    - name: Run Macaron action
+      id: run_macaron
+      uses: oracle/macaron@fda4dda04aa7228fcaba162804891806cf5a1375 # v0.22.0
+      with:
+        repo_path: ./
+        policy_file: check-github-actions
+        policy_purl: pkg:github.com/oracle/macaron@.*
+        reports_retention_days: 90
@@ -30,7 +30,7 @@ jobs:
         fetch-depth: 0
 
     - name: Set up Python
-      uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5.4.0
+      uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
       with:
         python-version: '3.11'
 

@@ -1,4 +1,4 @@
-# Copyright (c) 2022 - 2025, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 2022 - 2026, Oracle and/or its affiliates. All rights reserved.
 # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
 
 # We run checks on pushing to the specified branches.
@@ -45,7 +45,7 @@ jobs:
         token: ${{ secrets.REPO_ACCESS_TOKEN }}
 
     - name: Set up Python
-      uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5.4.0
+      uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
       with:
         python-version: '3.11'
 
@@ -131,7 +131,7 @@ jobs:
         } >> "$GITHUB_OUTPUT"
 
     - name: Download artifact
-      uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
+      uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
       with:
         name: ${{ env.ARTIFACT_NAME }}
         path: dist
@@ -215,7 +215,7 @@ jobs:
         rm -f "$CHECKSUMS"
 
     - name: Set up Python
-      uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5.4.0
+      uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
       with:
         python-version: '3.11'
 
@@ -310,7 +310,7 @@ jobs:
   #       fetch-depth: 0
 
   #   - name: Download provenance
-  #     uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
+  #     uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
   #     with:
   #       name: ${{ needs.provenance.outputs.provenance-name }}
 
@@ -333,19 +333,3 @@ jobs:
       # https://github.com/actions/runner/issues/2394.
       artifact-name: artifact-ubuntu-latest-python-3.11
       artifact-sha256: ${{ needs.build.outputs.artifacts-sha256 }}
-
-  # Send out release notifications after the Release was published on GitHub.
-  # Uncomment the `if` to disable sending release notifications.
-  notifications:
-    if: ${{ false }}
-    needs: [release]
-    name: Send Release notifications
-    uses: ./.github/workflows/_release-notifications.yaml
-    permissions:
-      contents: read
-    with:
-      repo_name: ${{ github.event.repository.name }}
-      release_tag: ${{ needs.release.outputs.release-tag }}
-      release_url: ${{ needs.release.outputs.release-url }}
-    secrets:
-      SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
@@ -49,7 +49,7 @@ jobs:
 
     # Upload the results as artifacts (optional).
     - name: Upload artifact
-      uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
+      uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
       with:
         name: SARIF file
         path: results.sarif