From 80433869c90c68dfc24922cf77271faa70155edc Mon Sep 17 00:00:00 2001 From: Anshi Singh Date: Fri, 17 Apr 2026 16:18:11 -0700 Subject: [PATCH 1/4] Update releasepublished.yml and Add macaron-check-github-actions.yml --- .../macaron-check-github-actions.yml | 42 +++++++++++++++++ .github/workflows/releasepublished.yml | 47 +++++++++++++++---- 2 files changed, 79 insertions(+), 10 deletions(-) create mode 100644 .github/workflows/macaron-check-github-actions.yml diff --git a/.github/workflows/macaron-check-github-actions.yml b/.github/workflows/macaron-check-github-actions.yml new file mode 100644 index 00000000000..715407bcf5c --- /dev/null +++ b/.github/workflows/macaron-check-github-actions.yml @@ -0,0 +1,42 @@ +# Copyright (c) 2026 - 2026, Oracle and/or its affiliates. All rights reserved. +# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/. + +# Run Macaron's policies and generate Verification Summary Attestation reports. +# See https://github.com/oracle/macaron + +name: Run Macaron to Check Supply Chain Security Issues +on: + pull_request: + paths: + - ".github/workflows/**" + - ".github/actions/**" + push: + branches: + - legacy/v2/master + paths: + - ".github/workflows/**" + - ".github/actions/**" + workflow_dispatch: + schedule: + - cron: "0 4 * * 3" + +permissions: + contents: read + +jobs: + macaron-check-github-actions: + name: Macaron Policy Verification + runs-on: ubuntu-latest + steps: + - name: Checkout Repository + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + with: + persist-credentials: false + + - name: Run Macaron Security Analysis Action + uses: oracle/macaron@b31acfe389133a5587d9639063ec70cb84e7bc47 # v0.23.0 + with: + repo_path: ./ + policy_file: check-github-actions + policy_purl: pkg:github.com/oracle/oci-java-sdk@.* + reports_retention_days: 90 diff --git a/.github/workflows/releasepublished.yml b/.github/workflows/releasepublished.yml index 93d7ebd4fbc..e5320988707 100644 --- a/.github/workflows/releasepublished.yml +++ b/.github/workflows/releasepublished.yml @@ -59,8 +59,8 @@ jobs: - name: Check credentials run: | set -e - echo "Checking SonaType SONATYPE_BASIC_AUTH_CREDENTIALS" - curl --fail -X GET -H "Content-Type:application/xml" -u "${{ secrets.SONATYPE_BASIC_AUTH_CREDENTIALS }}" https://oss.sonatype.org/service/local/staging/profiles/b39883a429024e > /dev/null + echo "Checking SonaType PORTAL_ACCESS_TOKEN" + curl --fail -H "Accept:application/json" -H "Authorization: Bearer ${{ secrets.PORTAL_ACCESS_TOKEN }}" 'https://ossrh-staging-api.central.sonatype.com/manual/search/repositories?state=open' echo "Checking GitHub ACCESS_TOKEN" curl -f -H "Authorization: Bearer ${{ secrets.ACCESS_TOKEN }}" -H 'Accept: application/vnd.github.v3.raw' -s https://api.github.com/repos/$REPO > /dev/null - name: Configure GPG key @@ -85,6 +85,7 @@ jobs: env: ACCESS_TOKEN: ${{ secrets.ACCESS_TOKEN }} run: | + sleep 900 if [ "$RELEASE" = "latest" ]; then echo "Using latest release" set +e @@ -138,7 +139,7 @@ jobs: mkdir unpacked cd unpacked unzip -q ../asset.zip - head CHANGELOG.md + head CHANGELOG.md - name: GPG sign all Maven files run: | cd unpacked/maven @@ -154,10 +155,11 @@ jobs: # Code mostly by mezzargh set -e WD=`pwd` + # we use the description field for cross identification between APIs (I could not find an alternative yet), so we can fetch correct repo for promotion. START_XML=$(cat << EOF - Publish ${GITHUB_REPOSITORY} ${RELEASE} Artifacts + ${{github.repository}}-${{github.run_id}}-${{github.run_attempt}} EOF @@ -168,18 +170,43 @@ jobs: cd unpacked/maven/repository cp $WD/start.xml start.xml cat start.xml - curl --fail -v -X POST -d @start.xml -H "Content-Type:application/xml" -u "${{ secrets.SONATYPE_BASIC_AUTH_CREDENTIALS }}" https://oss.sonatype.org/service/local/staging/profiles/b39883a429024e/start -o $WD/finish.xml + curl -sS --fail -v -X POST -d @start.xml -H "Content-Type:application/xml" -H "Authorization: Bearer ${{ secrets.PORTAL_ACCESS_TOKEN }}" https://ossrh-staging-api.central.sonatype.com/service/local/staging/profiles/b39883a429024e/start -o $WD/finish.xml rm start.xml + curl --fail -H "Accept:application/json" -H "Authorization: Bearer ${{ secrets.PORTAL_ACCESS_TOKEN }}" 'https://ossrh-staging-api.central.sonatype.com/manual/search/repositories?state=open' -o results.json + SELECTOR="${{github.repository}}-${{github.run_id}}-${{github.run_attempt}}" + repository_namespace=`cat results.json | jq -jr --arg SELECTOR $SELECTOR ".repositories[] | select(.description == \"$SELECTOR\").key" | jq -jRrs "@uri"` + echo $repository_namespace + rm results.json ls -lahn $WD cat $WD/finish.xml staging_dir=$(echo $(awk -F '[<>]' '/stagedRepositoryId/{print $3}' $WD/finish.xml)) + rm $WD/finish.xml echo "Staging dir is '${staging_dir}'" find . -type f | sed -E s'@./@@' | grep -v start.xml > $WD/artifacts.list ls -lahn $WD echo "Uploading $(wc -l $WD/artifacts.list | sed "s/^ *\([0-9]*\) .*$/\1/") artifacts" awk '{printf "%5d\t%s\n", NR, $0}' < $WD/artifacts.list - cat $WD/artifacts.list | xargs -n 1 -I {} curl --fail -u "${{ secrets.SONATYPE_BASIC_AUTH_CREDENTIALS }}" --upload-file {} https://oss.sonatype.org/service/local/staging/deployByRepositoryId/${staging_dir}/{} - cp $WD/finish.xml finish.xml - cat finish.xml - curl --fail -X POST -d @finish.xml -H "Content-Type:application/xml" -u "${{ secrets.SONATYPE_BASIC_AUTH_CREDENTIALS }}" -H "Content-Type:application/xml" https://oss.sonatype.org/service/local/staging/profiles/b39883a429024e/finish - echo https://oss.sonatype.org/content/repositories/${staging_dir} + cat $WD/artifacts.list | xargs -n 1 -I {} curl -sS --fail -H "Authorization: Bearer ${{ secrets.PORTAL_ACCESS_TOKEN }}" --upload-file {} https://ossrh-staging-api.central.sonatype.com/service/local/staging/deployByRepositoryId/${staging_dir}/{} + curl -s -X POST -H "Accept:application/json" -H "Authorization: Bearer ${{ secrets.PORTAL_ACCESS_TOKEN }}" https://ossrh-staging-api.central.sonatype.com/manual/upload/repository/${repository_namespace}?publishing_type=user_managed + while [[ $(curl -sS --fail -H "Accept:application/json" -H "Authorization: Bearer ${{ secrets.PORTAL_ACCESS_TOKEN }}" 'https://ossrh-staging-api.central.sonatype.com/manual/search/repositories' | jq -r ".repositories[] | select(.description == \"$SELECTOR\").portal_deployment_id") == "null" ]]; do + echo "Waiting for deployment ID..."; + curl -s -X POST -H "Accept:application/json" -H "Authorization: Bearer ${{ secrets.PORTAL_ACCESS_TOKEN }}" https://ossrh-staging-api.central.sonatype.com/manual/upload/repository/$repository_namespace?publishing_type=user_managed; + sleep 5; + done + curl -sS --fail -H "Accept:application/json" -H "Authorization: Bearer ${{ secrets.PORTAL_ACCESS_TOKEN }}" 'https://ossrh-staging-api.central.sonatype.com/manual/search/repositories' -o final_result.json + portal_id=`cat final_result.json | jq -jr ".repositories[] | select(.description == \"$SELECTOR\").portal_deployment_id"` + echo "Closing OSSRH staging repo $repository_namespace, and continueing with Portal APIs" + echo "Promotion to Portal deployment staging '$portal_id' is pending ..."; + while [[ $(curl -sS -X 'POST' -H 'Accept:application/json' -H "Authorization: Bearer ${{ secrets.PORTAL_ACCESS_TOKEN }}" "https://central.sonatype.com/api/v1/publisher/status?id=$portal_id" | jq -r '.deploymentState') == "PENDING" ]]; do + echo "..." + sleep 5; + done + echo "Validing Portal deployement ..."; + while [[ $(curl -sS -X 'POST' -H 'Accept:application/json' -H "Authorization: Bearer ${{ secrets.PORTAL_ACCESS_TOKEN }}" "https://central.sonatype.com/api/v1/publisher/status?id=$portal_id" | jq -r '.deploymentState') == "VALIDATING" ]]; do + echo "..." + sleep 5; + done + echo "Dropping OSSRH staging repo: $repository_namespace" + curl -sS -X 'DELETE' -H "Authorization: Bearer ${{ secrets.PORTAL_ACCESS_TOKEN }}" https://ossrh-staging-api.central.sonatype.com/manual/drop/repository/$repository_namespace + curl -sS -X 'POST' -H 'Accept:application/json' -H "Authorization: Bearer ${{ secrets.PORTAL_ACCESS_TOKEN }}" "https://central.sonatype.com/api/v1/publisher/status?id=$portal_id" | jq -e 'if .deploymentState == "FAILED" then error(.errors | tostring) else .deploymentState end' + echo "Portal Staging repository: https://central.sonatype.com/api/v1/publisher/deployment/$portal_id/download/" \ No newline at end of file From 961a5e8de14701132b1f630158309ef6fa42fc93 Mon Sep 17 00:00:00 2001 From: Anshi Singh Date: Fri, 17 Apr 2026 16:50:32 -0700 Subject: [PATCH 2/4] Added explicit workflow permissions to releasepublished.yml --- .github/workflows/macaron-check-github-actions.yml | 1 - .github/workflows/releasepublished.yml | 3 +++ 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/workflows/macaron-check-github-actions.yml b/.github/workflows/macaron-check-github-actions.yml index 715407bcf5c..06ecbb55b28 100644 --- a/.github/workflows/macaron-check-github-actions.yml +++ b/.github/workflows/macaron-check-github-actions.yml @@ -25,7 +25,6 @@ permissions: jobs: macaron-check-github-actions: - name: Macaron Policy Verification runs-on: ubuntu-latest steps: - name: Checkout Repository diff --git a/.github/workflows/releasepublished.yml b/.github/workflows/releasepublished.yml index e5320988707..833b168c781 100644 --- a/.github/workflows/releasepublished.yml +++ b/.github/workflows/releasepublished.yml @@ -16,6 +16,9 @@ on: required: true default: latest +permissions: + contents: read + # A workflow run is made up of one or more jobs that can run sequentially or in parallel jobs: # This workflow contains a single job called "build" From b7e9b16756eacd14ad9b5d1f389faa013022ad4c Mon Sep 17 00:00:00 2001 From: Anshi Singh Date: Fri, 17 Apr 2026 17:13:50 -0700 Subject: [PATCH 3/4] Add name --- .github/workflows/macaron-check-github-actions.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/macaron-check-github-actions.yml b/.github/workflows/macaron-check-github-actions.yml index 06ecbb55b28..715407bcf5c 100644 --- a/.github/workflows/macaron-check-github-actions.yml +++ b/.github/workflows/macaron-check-github-actions.yml @@ -25,6 +25,7 @@ permissions: jobs: macaron-check-github-actions: + name: Macaron Policy Verification runs-on: ubuntu-latest steps: - name: Checkout Repository From 56e98d5d8d8f3dcce572815eb0ecfbc18cd9d290 Mon Sep 17 00:00:00 2001 From: Anshi Singh Date: Thu, 23 Apr 2026 15:00:55 -0700 Subject: [PATCH 4/4] Remove schedule and not related macaron changes --- .../macaron-check-github-actions.yml | 2 - .github/workflows/releasepublished.yml | 47 ++++--------------- 2 files changed, 10 insertions(+), 39 deletions(-) diff --git a/.github/workflows/macaron-check-github-actions.yml b/.github/workflows/macaron-check-github-actions.yml index 715407bcf5c..d4fd1c374bd 100644 --- a/.github/workflows/macaron-check-github-actions.yml +++ b/.github/workflows/macaron-check-github-actions.yml @@ -17,8 +17,6 @@ on: - ".github/workflows/**" - ".github/actions/**" workflow_dispatch: - schedule: - - cron: "0 4 * * 3" permissions: contents: read diff --git a/.github/workflows/releasepublished.yml b/.github/workflows/releasepublished.yml index 833b168c781..8092349a255 100644 --- a/.github/workflows/releasepublished.yml +++ b/.github/workflows/releasepublished.yml @@ -62,8 +62,8 @@ jobs: - name: Check credentials run: | set -e - echo "Checking SonaType PORTAL_ACCESS_TOKEN" - curl --fail -H "Accept:application/json" -H "Authorization: Bearer ${{ secrets.PORTAL_ACCESS_TOKEN }}" 'https://ossrh-staging-api.central.sonatype.com/manual/search/repositories?state=open' + echo "Checking SonaType SONATYPE_BASIC_AUTH_CREDENTIALS" + curl --fail -X GET -H "Content-Type:application/xml" -u "${{ secrets.SONATYPE_BASIC_AUTH_CREDENTIALS }}" https://oss.sonatype.org/service/local/staging/profiles/b39883a429024e > /dev/null echo "Checking GitHub ACCESS_TOKEN" curl -f -H "Authorization: Bearer ${{ secrets.ACCESS_TOKEN }}" -H 'Accept: application/vnd.github.v3.raw' -s https://api.github.com/repos/$REPO > /dev/null - name: Configure GPG key @@ -88,7 +88,6 @@ jobs: env: ACCESS_TOKEN: ${{ secrets.ACCESS_TOKEN }} run: | - sleep 900 if [ "$RELEASE" = "latest" ]; then echo "Using latest release" set +e @@ -142,7 +141,7 @@ jobs: mkdir unpacked cd unpacked unzip -q ../asset.zip - head CHANGELOG.md + head CHANGELOG.md - name: GPG sign all Maven files run: | cd unpacked/maven @@ -158,11 +157,10 @@ jobs: # Code mostly by mezzargh set -e WD=`pwd` - # we use the description field for cross identification between APIs (I could not find an alternative yet), so we can fetch correct repo for promotion. START_XML=$(cat << EOF - ${{github.repository}}-${{github.run_id}}-${{github.run_attempt}} + Publish ${GITHUB_REPOSITORY} ${RELEASE} Artifacts EOF @@ -173,43 +171,18 @@ jobs: cd unpacked/maven/repository cp $WD/start.xml start.xml cat start.xml - curl -sS --fail -v -X POST -d @start.xml -H "Content-Type:application/xml" -H "Authorization: Bearer ${{ secrets.PORTAL_ACCESS_TOKEN }}" https://ossrh-staging-api.central.sonatype.com/service/local/staging/profiles/b39883a429024e/start -o $WD/finish.xml + curl --fail -v -X POST -d @start.xml -H "Content-Type:application/xml" -u "${{ secrets.SONATYPE_BASIC_AUTH_CREDENTIALS }}" https://oss.sonatype.org/service/local/staging/profiles/b39883a429024e/start -o $WD/finish.xml rm start.xml - curl --fail -H "Accept:application/json" -H "Authorization: Bearer ${{ secrets.PORTAL_ACCESS_TOKEN }}" 'https://ossrh-staging-api.central.sonatype.com/manual/search/repositories?state=open' -o results.json - SELECTOR="${{github.repository}}-${{github.run_id}}-${{github.run_attempt}}" - repository_namespace=`cat results.json | jq -jr --arg SELECTOR $SELECTOR ".repositories[] | select(.description == \"$SELECTOR\").key" | jq -jRrs "@uri"` - echo $repository_namespace - rm results.json ls -lahn $WD cat $WD/finish.xml staging_dir=$(echo $(awk -F '[<>]' '/stagedRepositoryId/{print $3}' $WD/finish.xml)) - rm $WD/finish.xml echo "Staging dir is '${staging_dir}'" find . -type f | sed -E s'@./@@' | grep -v start.xml > $WD/artifacts.list ls -lahn $WD echo "Uploading $(wc -l $WD/artifacts.list | sed "s/^ *\([0-9]*\) .*$/\1/") artifacts" awk '{printf "%5d\t%s\n", NR, $0}' < $WD/artifacts.list - cat $WD/artifacts.list | xargs -n 1 -I {} curl -sS --fail -H "Authorization: Bearer ${{ secrets.PORTAL_ACCESS_TOKEN }}" --upload-file {} https://ossrh-staging-api.central.sonatype.com/service/local/staging/deployByRepositoryId/${staging_dir}/{} - curl -s -X POST -H "Accept:application/json" -H "Authorization: Bearer ${{ secrets.PORTAL_ACCESS_TOKEN }}" https://ossrh-staging-api.central.sonatype.com/manual/upload/repository/${repository_namespace}?publishing_type=user_managed - while [[ $(curl -sS --fail -H "Accept:application/json" -H "Authorization: Bearer ${{ secrets.PORTAL_ACCESS_TOKEN }}" 'https://ossrh-staging-api.central.sonatype.com/manual/search/repositories' | jq -r ".repositories[] | select(.description == \"$SELECTOR\").portal_deployment_id") == "null" ]]; do - echo "Waiting for deployment ID..."; - curl -s -X POST -H "Accept:application/json" -H "Authorization: Bearer ${{ secrets.PORTAL_ACCESS_TOKEN }}" https://ossrh-staging-api.central.sonatype.com/manual/upload/repository/$repository_namespace?publishing_type=user_managed; - sleep 5; - done - curl -sS --fail -H "Accept:application/json" -H "Authorization: Bearer ${{ secrets.PORTAL_ACCESS_TOKEN }}" 'https://ossrh-staging-api.central.sonatype.com/manual/search/repositories' -o final_result.json - portal_id=`cat final_result.json | jq -jr ".repositories[] | select(.description == \"$SELECTOR\").portal_deployment_id"` - echo "Closing OSSRH staging repo $repository_namespace, and continueing with Portal APIs" - echo "Promotion to Portal deployment staging '$portal_id' is pending ..."; - while [[ $(curl -sS -X 'POST' -H 'Accept:application/json' -H "Authorization: Bearer ${{ secrets.PORTAL_ACCESS_TOKEN }}" "https://central.sonatype.com/api/v1/publisher/status?id=$portal_id" | jq -r '.deploymentState') == "PENDING" ]]; do - echo "..." - sleep 5; - done - echo "Validing Portal deployement ..."; - while [[ $(curl -sS -X 'POST' -H 'Accept:application/json' -H "Authorization: Bearer ${{ secrets.PORTAL_ACCESS_TOKEN }}" "https://central.sonatype.com/api/v1/publisher/status?id=$portal_id" | jq -r '.deploymentState') == "VALIDATING" ]]; do - echo "..." - sleep 5; - done - echo "Dropping OSSRH staging repo: $repository_namespace" - curl -sS -X 'DELETE' -H "Authorization: Bearer ${{ secrets.PORTAL_ACCESS_TOKEN }}" https://ossrh-staging-api.central.sonatype.com/manual/drop/repository/$repository_namespace - curl -sS -X 'POST' -H 'Accept:application/json' -H "Authorization: Bearer ${{ secrets.PORTAL_ACCESS_TOKEN }}" "https://central.sonatype.com/api/v1/publisher/status?id=$portal_id" | jq -e 'if .deploymentState == "FAILED" then error(.errors | tostring) else .deploymentState end' - echo "Portal Staging repository: https://central.sonatype.com/api/v1/publisher/deployment/$portal_id/download/" \ No newline at end of file + cat $WD/artifacts.list | xargs -n 1 -I {} curl --fail -u "${{ secrets.SONATYPE_BASIC_AUTH_CREDENTIALS }}" --upload-file {} https://oss.sonatype.org/service/local/staging/deployByRepositoryId/${staging_dir}/{} + cp $WD/finish.xml finish.xml + cat finish.xml + curl --fail -X POST -d @finish.xml -H "Content-Type:application/xml" -u "${{ secrets.SONATYPE_BASIC_AUTH_CREDENTIALS }}" -H "Content-Type:application/xml" https://oss.sonatype.org/service/local/staging/profiles/b39883a429024e/finish + echo https://oss.sonatype.org/content/repositories/${staging_dir}