From 900f990ca65cc970f01626bce0283566012f2a5b Mon Sep 17 00:00:00 2001
From: behnazh-w <behnaz.hassanshahi@oracle.com>
Date: Tue, 31 Mar 2026 18:30:27 +1000
Subject: [PATCH] chore: update Macaron version in docs and test action

Signed-off-by: behnazh-w <behnaz.hassanshahi@oracle.com>
---
 .github/workflows/macaron-analysis.yaml | 2 +-
 README.md                               | 4 ++--
 docs/source/pages/macaron_action.rst    | 4 ++--
 3 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/macaron-analysis.yaml b/.github/workflows/macaron-analysis.yaml
index d0da663d1..2d90cacb4 100644
--- a/.github/workflows/macaron-analysis.yaml
+++ b/.github/workflows/macaron-analysis.yaml
@@ -35,7 +35,7 @@ jobs:
     # Note: adjust the policy_purl to refer to your repository URL.
     - name: Run Macaron action
       id: run_macaron
-      uses: oracle/macaron@fda4dda04aa7228fcaba162804891806cf5a1375 # v0.22.0
+      uses: oracle/macaron@b31acfe389133a5587d9639063ec70cb84e7bc47 # v0.23.0
       with:
         repo_path: ./
         policy_file: check-github-actions
diff --git a/README.md b/README.md
index 4493efb1e..374613e12 100644
--- a/README.md
+++ b/README.md
@@ -14,11 +14,11 @@ Use Macaron as a GitHub Action
 To use the Macaron GitHub Action, add the following step to your workflow (adjust the version as needed). In this example, we use an example policy. For detailed instructions and a comprehensive list of available options, please refer to the [Macaron GitHub Action documentation](https://oracle.github.io/macaron/pages/macaron_action.html).
 
 ```yaml
-- uses: oracle/macaron@v0.22.0
+- uses: oracle/macaron@b31acfe389133a5587d9639063ec70cb84e7bc47 # v0.23.0
   with:
     repo_path: 'https://github.com/example/project'
     policy_file: check-github-actions
-    policy_purl: 'pkg:github.com/example/project'
+    policy_purl: 'pkg:github.com/example/project@.*'
     output_dir: 'macaron-output'
     upload_attestation: true
 ```
diff --git a/docs/source/pages/macaron_action.rst b/docs/source/pages/macaron_action.rst
index 8deb62842..d7e718747 100644
--- a/docs/source/pages/macaron_action.rst
+++ b/docs/source/pages/macaron_action.rst
@@ -19,11 +19,11 @@ When you use this action, you can reference it directly in your workflow. For a
       steps:
         - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         - name: Run Macaron Security Analysis Action
-          uses: oracle/macaron@fda4dda04aa7228fcaba162804891806cf5a1375 # v0.22.0
+          uses: oracle/macaron@b31acfe389133a5587d9639063ec70cb84e7bc47 # v0.23.0
           with:
             repo_path: 'https://github.com/example/project'
             policy_file: check-github-actions
-            policy_purl: 'pkg:github.com/example/project'
+            policy_purl: 'pkg:github.com/example/project@.*'
             reports_retention_days: 90
 
 By default, the action posts a human-friendly results summary to the GitHub Actions run page (job summary). If you upload the results like in this `workflow <https://github.com/oracle/macaron/blob/main/.github/workflows/macaron-analysis.yaml>`_, check this :ref:`documentation <detect-vuln-gh-actions-results>` to see how to read and understand them.