From 8f34d0b533cc7b4eaba9fab519a5a50f9860cc2f Mon Sep 17 00:00:00 2001
From: "Tom Hromatka (Oracle)" <tom.hromatka@gmail.com>
Date: Mon, 20 Apr 2026 11:24:19 -0600
Subject: [PATCH] github: Add Macaron Github Actions Workflow

Macaron helps verify GitHub Actions usage against policy and surfaces
unsafe patterns before they are merged or released.

Switch all existing workflows to use a hardcoded version of upstream
GitHub Actions.

Signed-off-by: Tom Hromatka (Oracle) <tom.hromatka@gmail.com>
---
 .github/workflows/codeql-analysis.yml        |  9 ++-
 .github/workflows/continuous-integration.yml | 27 +++++----
 .github/workflows/isolated.yml               |  9 ++-
 .github/workflows/macaron.yml                | 61 ++++++++++++++++++++
 4 files changed, 88 insertions(+), 18 deletions(-)
 create mode 100644 .github/workflows/macaron.yml

diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
index 38c4221..5173096 100644
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -27,19 +27,22 @@
 name: "CodeQL"
 on: ["push", "pull_request"]
 
+permissions:
+  contents: read
+
 jobs:
   codeql:
     name: CodeQL
     runs-on: ubuntu-latest
 
     steps:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       with:
         submodules: false
-    - uses: github/codeql-action/init@v2
+    - uses: github/codeql-action/init@65216971a11ded447a6b76263d5a144519e5eee1 # v2.25.2
       with:
         languages: cpp, python
     - name: Initialize the directory
       uses: ./.github/actions/setup-adaptived
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v2
+      uses: github/codeql-action/analyze@65216971a11ded447a6b76263d5a144519e5eee1 # v2.25.2
diff --git a/.github/workflows/continuous-integration.yml b/.github/workflows/continuous-integration.yml
index 3d3dd2f..92937c5 100644
--- a/.github/workflows/continuous-integration.yml
+++ b/.github/workflows/continuous-integration.yml
@@ -27,6 +27,9 @@
 name: Continuous Integration
 on: ["push", "pull_request"]
 
+permissions:
+  contents: read
+
 jobs:
   # Doc: https://github.com/redhat-plumbers-in-action/differential-shellcheck#usage
   differential-shellcheck:
@@ -40,11 +43,11 @@ jobs:
       pull-requests: write
 
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 0
       - name: Differential ShellCheck
-        uses: redhat-plumbers-in-action/differential-shellcheck@v4
+        uses: redhat-plumbers-in-action/differential-shellcheck@d965e66ec0b3b2f821f75c8eff9b12442d9a7d1e # v5.5.6
         with:
           severity: warning
           token: ${{ secrets.GITHUB_TOKEN }}
@@ -54,13 +57,13 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Check out source repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       - name: Set up Python environment
-        uses: actions/setup-python@v4
+        uses: actions/setup-python@7f4fc3e22c37d6ff65e88745f38bd3157c663f7c # v4.9.1
         with:
           python-version: "3.8"
       - name: flake8 Lint
-        uses: reviewdog/action-flake8@v3
+        uses: reviewdog/action-flake8@b65981e158319f08cb7d0132f28bc0081e110adc # v3.15.2
         with:
           github_token: ${{ secrets.GITHUB_TOKEN }}
 
@@ -76,12 +79,12 @@ jobs:
     steps:
       - name: 'Calculate PR commits + 1'
         run: echo "PR_FETCH_DEPTH=$(( ${{ github.event.pull_request.commits }} + 1 ))" >> $GITHUB_ENV
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           ref: ${{ github.event.pull_request.head.sha }}
           fetch-depth: ${{ env.PR_FETCH_DEPTH }}
       - name: Run checkpatch review
-        uses: webispy/checkpatch-action@v9
+        uses: webispy/checkpatch-action@58374fe5bb03358b23d3d6871e2ff290ce77fcd2 # v9
         env:
           GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
 
@@ -90,7 +93,7 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       with:
         submodules: false
     - name: Initialize the directory
@@ -110,7 +113,7 @@ jobs:
       CC: clang
       CXX: clang++
     steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       with:
         submodules: false
     - name: Fail on all warnings
@@ -137,7 +140,7 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       with:
         submodules: false
     - name: Fail on all warnings
@@ -156,7 +159,7 @@ jobs:
     - name: Collate code coverage results
       uses: ./.github/actions/code-coverage
     - name: Upload code coverage results
-      uses: coverallsapp/github-action@master
+      uses: coverallsapp/github-action@648a8eb78e6d50909eff900e4ec85cab4524a45b # v2.3.6
       with:
         github-token: ${{ secrets.GITHUB_TOKEN }}
         path-to-lcov: ./lcov.total
@@ -170,7 +173,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - name: Finalize code coverage results
-      uses: coverallsapp/github-action@master
+      uses: coverallsapp/github-action@648a8eb78e6d50909eff900e4ec85cab4524a45b # v2.3.6
       with:
         github-token: ${{ secrets.GITHUB_TOKEN }}
         parallel-finished: True
diff --git a/.github/workflows/isolated.yml b/.github/workflows/isolated.yml
index 3fac9e7..2af9d93 100644
--- a/.github/workflows/isolated.yml
+++ b/.github/workflows/isolated.yml
@@ -27,6 +27,9 @@
 name: Isolate Changes
 on: ["push", "pull_request"]
 
+permissions:
+  contents: read
+
 jobs:
   files-modified:
     name: Get modified files
@@ -35,7 +38,7 @@ jobs:
       amm_modified: ${{ steps.adaptivemm.outputs.amm_modified }}
       ad_modified: ${{ steps.adaptived.outputs.ad_modified }}
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       - name: Fetch
         run: git fetch
       - name: Set adaptivemm-modified to 1 if files were changed
@@ -64,7 +67,7 @@ jobs:
         amm_modified: ${{ needs.files-modified.outputs.amm_modified }}
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       - name: Build the current adaptivemm executable
         run: |
           pushd adaptivemm/src
@@ -118,7 +121,7 @@ jobs:
         ad_modified: ${{ needs.files-modified.outputs.ad_modified }}
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       - name: Install dependencies
         run: |
           sudo apt-get update
diff --git a/.github/workflows/macaron.yml b/.github/workflows/macaron.yml
new file mode 100644
index 0000000..b52bda8
--- /dev/null
+++ b/.github/workflows/macaron.yml
@@ -0,0 +1,61 @@
+# Copyright (c) 2026, Oracle and/or its affiliates.
+# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+#
+# This code is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License version 2 only, as
+# published by the Free Software Foundation.
+#
+# This code is distributed in the hope that it will be useful, but WITHOUT
+# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+# FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+# version 2 for more details (a copy is included in the LICENSE file that
+# accompanied this code).
+#
+# You should have received a copy of the GNU General Public License version
+# 2 along with this work; if not, write to the Free Software Foundation,
+# Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+# or visit www.oracle.com if you need additional information or have any
+# questions.
+#
+# Macaron Workflow for adaptivemm / adaptived
+#
+name: Macaron check-github-actions
+
+on:
+  pull_request:
+    paths:
+      - ".github/workflows/**"
+      - ".github/actions/**"
+  push:
+    branches:
+      - main
+      - master
+    paths:
+      - ".github/workflows/**"
+      - ".github/actions/**"
+  workflow_dispatch:
+  schedule:
+    - cron: "20 15 * * 3"
+
+permissions:
+  contents: read
+
+jobs:
+  macaron-check-github-actions:
+    name: Macaron policy verification
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+
+      - name: Run Macaron check-github-actions policy
+        uses: oracle/macaron@b31acfe389133a5587d9639063ec70cb84e7bc47 # v0.23.0
+        with:
+          repo_path: ./
+          policy_file: check-github-actions
+          policy_purl: pkg:github.com/${{ github.repository }}@.*
+          reports_retention_days: 90