chore: release v0.19.0 — TUI cross-file flows & call graph enhancements #34
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: RMA Security Scan | |
| on: | |
| push: | |
| branches: [master, main] | |
| pull_request: | |
| branches: [master, main] | |
| workflow_dispatch: | |
| permissions: | |
| contents: read | |
| security-events: write | |
| jobs: | |
| rma-scan: | |
| name: RMA Security Scan | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Download RMA binary | |
| run: | | |
| # Get latest release or fallback to building | |
| LATEST=$(curl -s https://api.github.com/repos/bumahkib7/rust-monorepo-analyzer/releases/latest | jq -r '.tag_name // empty') | |
| if [ -n "$LATEST" ]; then | |
| echo "Downloading RMA $LATEST..." | |
| curl -sL "https://github.com/bumahkib7/rust-monorepo-analyzer/releases/download/${LATEST}/rma-x86_64-unknown-linux-gnu.tar.gz" | tar -xz | |
| chmod +x rma | |
| ./rma --version | |
| else | |
| echo "No release found, will build from source" | |
| echo "BUILD_FROM_SOURCE=true" >> $GITHUB_ENV | |
| fi | |
| - name: Install Rust (if needed) | |
| if: env.BUILD_FROM_SOURCE == 'true' | |
| uses: dtolnay/rust-toolchain@stable | |
| - name: Cache cargo (if building) | |
| if: env.BUILD_FROM_SOURCE == 'true' | |
| uses: actions/cache@v4 | |
| with: | |
| path: | | |
| ~/.cargo/registry/index/ | |
| ~/.cargo/registry/cache/ | |
| ~/.cargo/git/db/ | |
| target/ | |
| key: rma-scan-${{ runner.os }}-${{ hashFiles('**/Cargo.lock') }} | |
| - name: Build RMA (if needed) | |
| if: env.BUILD_FROM_SOURCE == 'true' | |
| run: | | |
| cargo build --release --package rma-cli | |
| cp target/release/rma ./rma | |
| - name: Run RMA scan | |
| id: scan | |
| run: | | |
| # Note: Excluding crypto/secret rules because rule definition files | |
| # intentionally contain vulnerable patterns as examples. | |
| # Excluding external/ and rules/ dirs which contain third-party code | |
| # and intentional vulnerable-pattern examples. | |
| # Severity warning+ to stay under GitHub's 5000 alert SARIF limit. | |
| ./rma scan . \ | |
| --format sarif \ | |
| --output rma-results.sarif \ | |
| --severity warning \ | |
| --skip-tests-all \ | |
| --exclude-rules "generic/hardcoded-secret,generic/insecure-crypto,generic/crypto-typestate" \ | |
| --exclude "external/**,crates/rules/rules/**,target/**" \ | |
| 2>&1 || true | |
| echo "Scan complete." | |
| if [ -f rma-results.sarif ]; then | |
| RESULT_COUNT=$(jq '[.runs[].results[]] | length' rma-results.sarif 2>/dev/null || echo "unknown") | |
| echo "SARIF results: ${RESULT_COUNT}" | |
| if [ "${RESULT_COUNT}" != "unknown" ] && [ "${RESULT_COUNT}" -gt 5000 ]; then | |
| echo "::warning::SARIF has ${RESULT_COUNT} results (GitHub limit is 5000). Truncating." | |
| jq '.runs[0].results = (.runs[0].results[:5000])' rma-results.sarif > rma-results-truncated.sarif | |
| mv rma-results-truncated.sarif rma-results.sarif | |
| fi | |
| echo "sarif-file=rma-results.sarif" >> "$GITHUB_OUTPUT" | |
| jq -r '.runs[0].invocations[0].properties.metrics // "No metrics"' rma-results.sarif || true | |
| fi | |
| - name: Upload SARIF to GitHub Code Scanning | |
| if: always() | |
| uses: github/codeql-action/upload-sarif@v4 | |
| with: | |
| sarif_file: rma-results.sarif | |
| category: rma-security-scan |