chore: release v0.16.0 (#8) #20
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: RMA Security Scan | |
| on: | |
| push: | |
| branches: [master, main] | |
| pull_request: | |
| branches: [master, main] | |
| workflow_dispatch: | |
| permissions: | |
| contents: read | |
| security-events: write | |
| jobs: | |
| rma-scan: | |
| name: RMA Security Scan | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Download RMA binary | |
| run: | | |
| # Get latest release or fallback to building | |
| LATEST=$(curl -s https://api.github.com/repos/bumahkib7/rust-monorepo-analyzer/releases/latest | jq -r '.tag_name // empty') | |
| if [ -n "$LATEST" ]; then | |
| echo "Downloading RMA $LATEST..." | |
| curl -sL "https://github.com/bumahkib7/rust-monorepo-analyzer/releases/download/${LATEST}/rma-x86_64-unknown-linux-gnu.tar.gz" | tar -xz | |
| chmod +x rma | |
| ./rma --version | |
| else | |
| echo "No release found, will build from source" | |
| echo "BUILD_FROM_SOURCE=true" >> $GITHUB_ENV | |
| fi | |
| - name: Install Rust (if needed) | |
| if: env.BUILD_FROM_SOURCE == 'true' | |
| uses: dtolnay/rust-toolchain@stable | |
| - name: Cache cargo (if building) | |
| if: env.BUILD_FROM_SOURCE == 'true' | |
| uses: actions/cache@v4 | |
| with: | |
| path: | | |
| ~/.cargo/registry/index/ | |
| ~/.cargo/registry/cache/ | |
| ~/.cargo/git/db/ | |
| target/ | |
| key: rma-scan-${{ runner.os }}-${{ hashFiles('**/Cargo.lock') }} | |
| - name: Build RMA (if needed) | |
| if: env.BUILD_FROM_SOURCE == 'true' | |
| run: | | |
| cargo build --release --package rma-cli | |
| cp target/release/rma ./rma | |
| - name: Run RMA scan | |
| id: scan | |
| run: | | |
| # Note: Excluding crypto/secret rules because rule definition files | |
| # intentionally contain vulnerable patterns as examples | |
| ./rma scan . \ | |
| --format sarif \ | |
| --output rma-results.sarif \ | |
| --severity info \ | |
| --skip-tests-all \ | |
| --exclude-rules "generic/hardcoded-secret,generic/insecure-crypto,generic/crypto-typestate" \ | |
| 2>&1 || true | |
| echo "Scan complete." | |
| if [ -f rma-results.sarif ]; then | |
| echo "sarif-file=rma-results.sarif" >> "$GITHUB_OUTPUT" | |
| jq -r '.runs[0].invocations[0].properties.metrics // "No metrics"' rma-results.sarif || true | |
| fi | |
| - name: Upload SARIF to GitHub Code Scanning | |
| if: always() | |
| uses: github/codeql-action/upload-sarif@v3 | |
| with: | |
| sarif_file: rma-results.sarif | |
| category: rma-security-scan |