feat: add github actions for macaron (#1241)

Adds an official GitHub Action (action.yaml) to run Macaron inside GitHub workflows, a test workflow (.github/workflows/test_macaron_action.yaml) that test the Action across multiple tutorial scenarios, and a set of tutorial datalog policies under tests/tutorials/ used by the workflow.

Signed-off-by: Demolus13 <parth.govale@oracle.com>

Author: Demolus13

.github/workflows/test_macaron_action.yaml

@@ -0,0 +1,213 @@
+# Copyright (c) 2025 - 2025, Oracle and/or its affiliates. All rights reserved.
+# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
+
+name: Test Macaron Action (tutorials)
+
+on:
+  push:
+    paths:
+    - action.yaml
+  pull_request:
+    paths:
+    - action.yaml
+  workflow_dispatch:
+
+permissions:
+  id-token: write
+  attestations: write
+
+jobs:
+  tutorial-commit-finder:
+    name: Analyzing and comparing different versions of an artifact
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8   # v5.0.0
+
+    - name: Run Macaron (analyze arrow@1.3.0)
+      uses: ./
+      with:
+        package_url: pkg:pypi/arrow@1.3.0
+        output_dir: macaron_output/commit_finder
+
+    - name: Run Macaron (analyze arrow@0.15.0)
+      uses: ./
+      with:
+        package_url: pkg:pypi/arrow@0.15.0
+        output_dir: macaron_output/commit_finder
+
+    - name: Run Macaron (verify policy - has-hosted-build)
+      uses: ./
+      with:
+        policy_file: ./tests/tutorial_resources/commit_finder/has-hosted-build.dl
+        output_dir: macaron_output/commit_finder
+
+  tutorial-detect-malicious-package:
+    name: Detecting malicious packages
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+    - name: Run Macaron (analyze django@5.0.6 without dependencies)
+      uses: ./
+      with:
+        package_url: pkg:pypi/django@5.0.6
+        output_dir: macaron_output/detect_malicious_package
+
+    - name: Run Macaron (verify policy - check-django)
+      uses: ./
+      with:
+        policy_file: ./tests/tutorial_resources/detect_malicious_package/check-django.dl
+        output_dir: macaron_output/detect_malicious_package
+
+    - name: Setup Python for analyzed venv
+      uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5.4.0
+      with:
+        python-version: 3.11.13
+
+    - name: Create and populate analyzed venv
+      run: |
+        python -m venv /tmp/.django_venv
+        source /tmp/.django_venv/bin/activate
+        pip install --upgrade pip
+        pip install django==5.0.6
+      shell: bash
+
+    - name: Clean previous macaron output
+      run: |
+        rm -rf macaron_output/detect_malicious_package
+      shell: bash
+
+    - name: Run Macaron (analyze django@5.0.6 with direct dependencies)
+      uses: ./
+      with:
+        package_url: pkg:pypi/django@5.0.6
+        output_dir: macaron_output/detect_malicious_package
+        deps_depth: '1'
+        python_venv: /tmp/.django_venv
+
+    - name: Run Macaron (verify policy - check-dependencies)
+      uses: ./
+      with:
+        policy_file: ./tests/tutorial_resources/detect_malicious_package/check-dependencies.dl
+        output_dir: macaron_output/detect_malicious_package
+
+  tutorial-detect-vulnerable-actions:
+    name: How to detect vulnerable GitHub Actions
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+
+    - name: Run Macaron (analyze repo - apache/logging-log4j2)
+      uses: ./
+      with:
+        repo_path: https://github.com/apache/logging-log4j2
+        output_dir: macaron_output/detect_vulnerable_github_actions
+
+    - name: Run Macaron (verify policy - github_actions_vulns for repo)
+      uses: ./
+      with:
+        policy_file: ./tests/tutorial_resources/detect_vulnerable_github_actions/check_github_actions_vuln_repo.dl
+        output_dir: macaron_output/detect_vulnerable_github_actions
+
+    - name: Run Macaron (analyze purl - log4j-core example)
+      uses: ./
+      with:
+        package_url: pkg:maven/org.apache.logging.log4j/log4j-core@3.0.0-beta3
+        output_dir: macaron_output/detect_vulnerable_github_actions
+
+    - name: Run Macaron (verify policy - github_actions_vulns for purl)
+      uses: ./
+      with:
+        policy_file: ./tests/tutorial_resources/detect_vulnerable_github_actions/check_github_actions_vuln_purl.dl
+        output_dir: macaron_output/detect_vulnerable_github_actions
+
+  tutorial-provenance:
+    name: Provenance discovery, extraction, and verification
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+    - name: Run Macaron (analyze semver 7.7.2)
+      uses: ./
+      with:
+        package_url: pkg:npm/semver@7.7.2
+        output_dir: macaron_output/provenance
+
+    - name: Run Macaron (verify provenance - semver)
+      uses: ./
+      with:
+        policy_file: ./tests/tutorial_resources/provenance/has-verified-provenance_semver.dl
+        output_dir: macaron_output/provenance
+
+    - name: Run Macaron (analyze toga 0.5.1 - PyPI provenance)
+      uses: ./
+      with:
+        package_url: pkg:pypi/toga@0.5.1
+        output_dir: macaron_output/provenance
+
+    - name: Run Macaron (verify provenance - toga PyPI)
+      uses: ./
+      with:
+        policy_file: ./tests/tutorial_resources/provenance/has-verified-provenance_toga.dl
+        output_dir: macaron_output/provenance
+
+    - name: Run Macaron (analyze toga 0.4.8 - GitHub attestation)
+      uses: ./
+      with:
+        package_url: pkg:pypi/toga@0.4.8
+        output_dir: macaron_output/provenance
+
+    - name: Run Macaron (verify provenance - toga GitHub)
+      uses: ./
+      with:
+        policy_file: ./tests/tutorial_resources/provenance/has-verified-provenance_toga.dl
+        output_dir: macaron_output/provenance
+
+    - name: Run Macaron (analyze urllib3 2.0.0a1 - GitHub attestation)
+      uses: ./
+      with:
+        package_url: pkg:pypi/urllib3@2.0.0a1
+        output_dir: macaron_output/provenance
+
+    - name: Run Macaron (verify provenance - urllib3)
+      uses: ./
+      with:
+        policy_file: ./tests/tutorial_resources/provenance/has-verified-provenance_urllib3.dl
+        output_dir: macaron_output/provenance
+
+  tutorial-detect-malicious-java-dep:
+    name: Detecting Java dependencies manually uploaded to Maven Central
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+    - name: Run Macaron (analyze example-maven-app with SBOM)
+      uses: ./
+      with:
+        package_url: pkg:maven/io.github.behnazh-w.demo/example-maven-app@2.0?type=jar
+        repo_path: https://github.com/behnazh-w/example-maven-app
+        output_dir: macaron_output/detect_malicious_java_dep
+        sbom_path: ./resources/detect_malicious_java_dep/example-sbom.json
+        deps_depth: '1'
+
+    - name: Run Macaron (verify policy - detect-malicious-upload)
+      uses: ./
+      with:
+        policy_file: ./tests/tutorial_resources/detect_malicious_java_dep/example-maven-app.dl
+        output_dir: macaron_output/detect_malicious_java_dep
+
+  tutorial-exclude-include-checks:
+    name: Exclude and include checks in Macaron
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+
+    - name: Run Macaron (analyze micronaut-core with default checks)
+      uses: ./
+      with:
+        package_url: pkg:maven/io.micronaut/micronaut-core@4.3.10
+        output_dir: macaron_output/exclude_include_checks/normal
+
+    - name: Run Macaron (analyze micronaut-core excluding witness check via defaults.ini)
+      uses: ./
+      with:
+        package_url: pkg:maven/io.micronaut/micronaut-core@4.3.10
+        defaults_path: ./tests/tutorial_resources/exclude_include_checks/defaults_exclude_witness.ini
+        output_dir: macaron_output/exclude_include_checks/excluded

action.yaml

@@ -0,0 +1,124 @@
+# Copyright (c) 2025 - 2025, Oracle and/or its affiliates. All rights reserved.
+# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
+
+name: Macaron Security Analysis
+description: Run Macaron to analyze supply chain security
+author: Oracle - github.com/oracle/macaron
+# This composite GitHub Action wraps the Macaron tool. It exposes inputs for analysis options to shell scripts under `scripts/actions/` for readability.
+
+inputs:
+  sbom_path:
+    description: The path to the SBOM of the analysis target.
+  python_venv:
+    description: Path to a Python virtual environment to resolve Python dependencies (used with Python analyze).
+  package_url:
+    description: The PURL string used to uniquely identify the target software component for analysis.
+  repo_path:
+    description: The path to the repository, can be local or remote.
+  policy_file:
+    description: Path to the Datalog policy.
+  policy_purl:
+    description: The PURL string for the pre-defined policy.
+  defaults_path:
+    description: The path to the defaults configuration file.
+  digest:
+    description: The digest of the commit we want to checkout in the branch.
+  provenance_expectation:
+    description: The path to provenance expectation file or directory.
+  provenance_file:
+    description: The path to the provenance file in in-toto format.
+  show_prelude:
+    description: Shows the Datalog prelude for the database.
+  branch:
+    description: The branch of the repository that we want to checkout.
+  deps_depth:
+    description: 'The depth of the dependency resolution. 0: disable, 1: direct dependencies, inf: all transitive dependencies.'
+    default: '0'
+  github_token:
+    description: The GitHub personal access token is needed for to run the analysis.
+    default: ${{ github.token }}
+  output_dir:
+    description: The output destination path for Macaron.
+    default: output
+  upload_attestation:
+    description: 'Upload the generated VSA report. default : false'
+    default: false
+  subject_path:
+    description: 'Path to the artifact serving as the subject of the attestation, the default is current repository. default : github.workspace'
+    default: ${{ github.workspace }}
+
+outputs:
+  policy_report:
+    description: Paths to the Macaron analysis report
+    value: ${{ steps.run-macaron-policy-verification.outputs.policy_report }}
+  vsa_report:
+    description: Verification Summary Attestation
+    value: ${{ steps.run-macaron-policy-verification.outputs.vsa_report }}
+
+runs:
+  using: composite
+  steps:
+  - name: Setup Python
+    uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5.4.0
+    with:
+      python-version: 3.11.13
+
+  - name: Setup Go
+    uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0
+    with:
+      go-version: '1.23'
+      cache: false
+
+  - name: Setup JDK
+    uses: actions/setup-java@b36c23c0d998641eff861008f374ee103c25ac73 # v4.4.0
+    with:
+      java-version: '17'
+      distribution: oracle
+
+  - name: Setup Macaron
+    # Create or reuse a Python virtualenv with the macaron CLI and export the `MACARON` binary path via `$GITHUB_ENV` so later steps can use it.
+    run: |
+      bash "$GITHUB_ACTION_PATH/scripts/actions/setup_macaron.sh"
+    shell: bash
+
+  - name: Run Macaron Analysis
+    id: run-macaron-analysis
+    if: ${{ inputs.repo_path != '' || inputs.package_url != '' }}
+    # Build and execute the `macaron analyze` command. We pass action inputs into the script via `env` so the script can assemble the CLI command.
+    run: |
+      bash "$GITHUB_ACTION_PATH/scripts/actions/run_macaron_analysis.sh"
+    shell: bash
+    env:
+      GITHUB_TOKEN: ${{ inputs.github_token }}
+      DEFAULTS_PATH: ${{ inputs.defaults_path }}
+      OUTPUT_DIR: ${{ inputs.output_dir }}
+      REPO_PATH: ${{ inputs.repo_path }}
+      PACKAGE_URL: ${{ inputs.package_url }}
+      BRANCH: ${{ inputs.branch }}
+      DIGEST: ${{ inputs.digest }}
+      DEPS_DEPTH: ${{ inputs.deps_depth }}
+      SBOM_PATH: ${{ inputs.sbom_path }}
+      PYTHON_VENV: ${{ inputs.python_venv }}
+      PROVENANCE_FILE: ${{ inputs.provenance_file }}
+      PROVENANCE_EXPECTATION: ${{ inputs.provenance_expectation }}
+
+  - name: Run Macaron Policy Verification
+    id: run-macaron-policy-verification
+    if: ${{ inputs.policy_file != '' }}
+    # Run policy verification using a Datalog policy file or a pre-defined policy and a PURL. The script writes `policy_report` and `vsa_report` to `$GITHUB_OUTPUT` if policy verification is successful.
+    run: |
+      bash "$GITHUB_ACTION_PATH/scripts/actions/run_macaron_policy_verification.sh"
+    shell: bash
+    env:
+      DEFAULTS_PATH: ${{ inputs.defaults_path }}
+      OUTPUT_DIR: ${{ inputs.output_dir }}
+      POLICY_FILE: ${{ inputs.policy_file }}
+      POLICY_PURL: ${{ inputs.policy_purl }}
+
+  - name: Upload Attestation
+    if: ${{ inputs.upload_attestation == 'true' && steps.run-macaron-policy-verification.outputs.vsa_report != 'VSA Not Generated.' }}
+    uses: actions/attest@daf44fb950173508f38bd2406030372c1d1162b1 #3.0.0
+    with:
+      subject-path: ${{ inputs.subject_path }}
+      predicate-type: https://slsa.dev/verification_summary/v1
+      predicate-path: ${{ steps.run-macaron-policy-verification.outputs.vsa_report }}

docs/source/pages/cli_usage/command_analyze.rst

@@ -87,10 +87,6 @@ Options
 
     The path to the local `.m2` Maven repository. If this option is not used, Macaron will use the default location at `$HOME/.m2`.
 
-.. option:: --verify-provenance
-
-    Allow the analysis to attempt to verify provenance files as part of its normal operations.
-
 .. option:: --force-analyze-source
 
     Forces PyPI source code analysis to run, regardless of other heuristic results.