Merge pull request #142 from vasac/add-macaron

Add macaron

Author: vasac

.github/macaron/defaults.ini

@@ -0,0 +1,13 @@
+[analysis.checks]
+exclude =
+    mcn_build_as_code_1
+    mcn_build_service_1
+    mcn_find_artifact_pipeline_1
+    mcn_provenance_available_1
+    mcn_provenance_verified_1
+    mcn_provenance_derived_commit_1
+    mcn_provenance_derived_repo_1
+    mcn_provenance_witness_level_one_1
+    mcn_provenance_expectation_1
+    mcn_trusted_builder_level_three_1
+include = *

.github/workflows/macaron-check-github-actions.yml

@@ -0,0 +1,39 @@
+name: Macaron check-github-actions
+
+on:
+  pull_request:
+    paths:
+      - ".github/workflows/**"
+      - ".github/actions/**"
+  push:
+    branches:
+      - main
+    paths:
+      - ".github/workflows/**"
+      - ".github/actions/**"
+  workflow_dispatch:
+  schedule:
+    - cron: "17 4 * * 1"
+
+permissions:
+  contents: read
+
+jobs:
+  macaron-check-github-actions:
+    name: Macaron policy verification
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          fetch-depth: 0
+          persist-credentials: false
+
+      - name: Run Macaron check-github-actions policy
+        uses: oracle/macaron@b31acfe389133a5587d9639063ec70cb84e7bc47 # v0.23.0
+        with:
+          repo_path: ./
+          defaults_path: .github/macaron/defaults.ini
+          policy_file: check-github-actions
+          policy_purl: pkg:github.com/${{ github.repository }}@.*
+          reports_retention_days: 90