fix: trigger Homebrew tap update from release workflow #32

Workflow file for this run

.github/workflows/rma-scan.yml at 48adf12

	name: RMA Security Scan

	on:
	push:
	branches: [master, main]
	pull_request:
	branches: [master, main]
	workflow_dispatch:

	permissions:
	contents: read
	security-events: write

	jobs:
	rma-scan:
	name: RMA Security Scan
	runs-on: ubuntu-latest
	steps:
	- name: Checkout code
	uses: actions/checkout@v4

	- name: Download RMA binary
	run: \|
	# Get latest release or fallback to building
	LATEST=$(curl -s https://api.github.com/repos/bumahkib7/rust-monorepo-analyzer/releases/latest \| jq -r '.tag_name // empty')

	if [ -n "$LATEST" ]; then
	echo "Downloading RMA $LATEST..."
	curl -sL "https://github.com/bumahkib7/rust-monorepo-analyzer/releases/download/${LATEST}/rma-x86_64-unknown-linux-gnu.tar.gz" \| tar -xz
	chmod +x rma
	./rma --version
	else
	echo "No release found, will build from source"
	echo "BUILD_FROM_SOURCE=true" >> $GITHUB_ENV
	fi

	- name: Install Rust (if needed)
	if: env.BUILD_FROM_SOURCE == 'true'
	uses: dtolnay/rust-toolchain@stable

	- name: Cache cargo (if building)
	if: env.BUILD_FROM_SOURCE == 'true'
	uses: actions/cache@v4
	with:
	path: \|
	~/.cargo/registry/index/
	~/.cargo/registry/cache/
	~/.cargo/git/db/
	target/
	key: rma-scan-${{ runner.os }}-${{ hashFiles('**/Cargo.lock') }}

	- name: Build RMA (if needed)
	if: env.BUILD_FROM_SOURCE == 'true'
	run: \|
	cargo build --release --package rma-cli
	cp target/release/rma ./rma

	- name: Run RMA scan
	id: scan
	run: \|
	# Note: Excluding crypto/secret rules because rule definition files
	# intentionally contain vulnerable patterns as examples.
	# Excluding external/ and rules/ dirs which contain third-party code
	# and intentional vulnerable-pattern examples.
	# Severity warning+ to stay under GitHub's 5000 alert SARIF limit.
	./rma scan . \
	--format sarif \
	--output rma-results.sarif \
	--severity warning \
	--skip-tests-all \
	--exclude-rules "generic/hardcoded-secret,generic/insecure-crypto,generic/crypto-typestate" \
	--exclude "external/,crates/rules/rules/,target/**" \
	2>&1 \|\| true

	echo "Scan complete."

	if [ -f rma-results.sarif ]; then
	RESULT_COUNT=$(jq '[.runs[].results[]] \| length' rma-results.sarif 2>/dev/null \|\| echo "unknown")
	echo "SARIF results: ${RESULT_COUNT}"
	if [ "${RESULT_COUNT}" != "unknown" ] && [ "${RESULT_COUNT}" -gt 5000 ]; then
	echo "::warning::SARIF has ${RESULT_COUNT} results (GitHub limit is 5000). Truncating."
	jq '.runs[0].results = (.runs[0].results[:5000])' rma-results.sarif > rma-results-truncated.sarif
	mv rma-results-truncated.sarif rma-results.sarif
	fi
	echo "sarif-file=rma-results.sarif" >> "$GITHUB_OUTPUT"
	jq -r '.runs[0].invocations[0].properties.metrics // "No metrics"' rma-results.sarif \|\| true
	fi

	- name: Upload SARIF to GitHub Code Scanning
	if: always()
	uses: github/codeql-action/upload-sarif@v4
	with:
	sarif_file: rma-results.sarif
	category: rma-security-scan

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

fix: trigger Homebrew tap update from release workflow #32

Workflow file

fix: trigger Homebrew tap update from release workflow #32

Uh oh!

Workflow file for this run