Skip to content
Latchkey

Build macOS Binary workflow (cisco-ai-defense/mcp-scanner)

The Build macOS Binary workflow from cisco-ai-defense/mcp-scanner, explained and optimized by Latchkey.

B

CI health: B - good

Point runs-on at Latchkey and get job timeouts, SHA-pinned actions, self-healing for flaky steps, and up to 58% lower cost, applied automatically.

Grade your own workflow free or run it on Latchkey →
Source: cisco-ai-defense/mcp-scanner.github/workflows/build-macos.ymlLicense Apache-2.0View source

What it does

This is the Build macOS Binary workflow from the cisco-ai-defense/mcp-scanner repository, a real project running GitHub Actions. It is shown here with attribution under its Apache-2.0 license.

Below, Latchkey shows a faster, safer version produced by its optimization engine.

The workflow

workflow (.yml)
name: Build macOS Binary

on:
  release:
    types: [published]

permissions:
  contents: write

jobs:
  build-macos:
    runs-on: macos-14
    steps:
      - uses: actions/checkout@v4

      - name: Install uv
        uses: astral-sh/setup-uv@v6

      - name: Install Python
        run: uv python install 3.13

      - name: Install dependencies
        run: uv sync

      - name: Install PyInstaller
        run: uv pip install pyinstaller

      - name: Fix yara-python OpenSSL dylib
        run: |
          YARA_DYLIBS=$(find .venv -path "*/yara_python.dylibs" -type d 2>/dev/null | head -1)
          if [ -n "$YARA_DYLIBS" ] && [ -f "$YARA_DYLIBS/libcrypto.3.dylib" ]; then
            BREW_LIBCRYPTO=$(brew --prefix openssl@3)/lib/libcrypto.3.dylib
            if [ -f "$BREW_LIBCRYPTO" ]; then
              echo "Replacing yara-python libcrypto with Homebrew version"
              cp "$BREW_LIBCRYPTO" "$YARA_DYLIBS/libcrypto.3.dylib"
            else
              echo "Warning: Homebrew libcrypto.3.dylib not found"
            fi
          else
            echo "Warning: yara_python.dylibs not found"
          fi

      - name: Build binary
        run: uv run pyinstaller mcp-scanner.spec --clean --noconfirm

      - name: Smoke test
        run: ./dist/mcp-scanner --help

      - name: Get version
        id: version
        run: echo "version=${GITHUB_REF_NAME#v}" >> $GITHUB_OUTPUT

      - name: Create archive
        run: >
          tar -czf mcp-scanner-${{ steps.version.outputs.version }}-macos-arm64.tar.gz
          -C dist mcp-scanner

      - name: Upload to release
        uses: softprops/action-gh-release@v2
        with:
          files: "mcp-scanner-*-macos-arm64.tar.gz"

  update-homebrew:
    needs: build-macos
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
        with:
          repository: cisco-ai-defense/homebrew-ai-defense
          token: ${{ secrets.HOMEBREW_TAP_TOKEN }}

      - name: Get version and SHA
        id: info
        run: |
          VERSION="${GITHUB_REF_NAME#v}"
          URL="https://github.com/cisco-ai-defense/mcp-scanner/releases/download/${GITHUB_REF_NAME}/mcp-scanner-${VERSION}-macos-arm64.tar.gz"
          for i in $(seq 1 10); do
            HTTP_CODE=$(curl -sL -o /tmp/asset.tar.gz -w "%{http_code}" "$URL")
            if [ "$HTTP_CODE" = "200" ]; then
              SHA=$(shasum -a 256 /tmp/asset.tar.gz | cut -d' ' -f1)
              break
            fi
            echo "Attempt $i: HTTP $HTTP_CODE, retrying in 15s..."
            sleep 15
          done
          if [ -z "$SHA" ] || [ ${#SHA} -ne 64 ]; then
            echo "Failed to download release asset"
            exit 1
          fi
          echo "version=$VERSION" >> $GITHUB_OUTPUT
          echo "sha256=$SHA" >> $GITHUB_OUTPUT

      - name: Update formula
        run: |
          sed -i 's/version ".*"/version "${{ steps.info.outputs.version }}"/' Formula/mcp-scanner.rb
          sed -i 's|url ".*"|url "https://github.com/cisco-ai-defense/mcp-scanner/releases/download/${{ github.ref_name }}/mcp-scanner-${{ steps.info.outputs.version }}-macos-arm64.tar.gz"|' Formula/mcp-scanner.rb
          sed -i 's/sha256 ".*"/sha256 "${{ steps.info.outputs.sha256 }}"/' Formula/mcp-scanner.rb

      - name: Commit and push
        run: |
          git config user.name "github-actions[bot]"
          git config user.email "github-actions[bot]@users.noreply.github.com"
          git add Formula/mcp-scanner.rb
          git diff --staged --quiet && echo "No changes to commit" && exit 0
          git commit -m "Update mcp-scanner to ${{ steps.info.outputs.version }}"
          git push

The same workflow, on Latchkey

Removes redundant runs and caps runaway jobs. Added and changed lines are highlighted.

name: Build macOS Binary
 
on:
  release:
    types: [published]
 
permissions:
  contents: write
 
jobs:
  build-macos:
    timeout-minutes: 30
    runs-on: macos-14
    steps:
      - uses: actions/checkout@v4
 
      - name: Install uv
        uses: astral-sh/setup-uv@v6
 
      - name: Install Python
        run: uv python install 3.13
 
      - name: Install dependencies
        run: uv sync
 
      - name: Install PyInstaller
        run: uv pip install pyinstaller
 
      - name: Fix yara-python OpenSSL dylib
        run: |
          YARA_DYLIBS=$(find .venv -path "*/yara_python.dylibs" -type d 2>/dev/null | head -1)
          if [ -n "$YARA_DYLIBS" ] && [ -f "$YARA_DYLIBS/libcrypto.3.dylib" ]; then
            BREW_LIBCRYPTO=$(brew --prefix openssl@3)/lib/libcrypto.3.dylib
            if [ -f "$BREW_LIBCRYPTO" ]; then
              echo "Replacing yara-python libcrypto with Homebrew version"
              cp "$BREW_LIBCRYPTO" "$YARA_DYLIBS/libcrypto.3.dylib"
            else
              echo "Warning: Homebrew libcrypto.3.dylib not found"
            fi
          else
            echo "Warning: yara_python.dylibs not found"
          fi
 
      - name: Build binary
        run: uv run pyinstaller mcp-scanner.spec --clean --noconfirm
 
      - name: Smoke test
        run: ./dist/mcp-scanner --help
 
      - name: Get version
        id: version
        run: echo "version=${GITHUB_REF_NAME#v}" >> $GITHUB_OUTPUT
 
      - name: Create archive
        run: >
          tar -czf mcp-scanner-${{ steps.version.outputs.version }}-macos-arm64.tar.gz
          -C dist mcp-scanner
 
      - name: Upload to release
        uses: softprops/action-gh-release@v2
        with:
          files: "mcp-scanner-*-macos-arm64.tar.gz"
 
  update-homebrew:
    timeout-minutes: 30
    needs: build-macos
    runs-on: latchkey-small
    steps:
      - uses: actions/checkout@v4
        with:
          repository: cisco-ai-defense/homebrew-ai-defense
          token: ${{ secrets.HOMEBREW_TAP_TOKEN }}
 
      - name: Get version and SHA
        id: info
        run: |
          VERSION="${GITHUB_REF_NAME#v}"
          URL="https://github.com/cisco-ai-defense/mcp-scanner/releases/download/${GITHUB_REF_NAME}/mcp-scanner-${VERSION}-macos-arm64.tar.gz"
          for i in $(seq 1 10); do
            HTTP_CODE=$(curl -sL -o /tmp/asset.tar.gz -w "%{http_code}" "$URL")
            if [ "$HTTP_CODE" = "200" ]; then
              SHA=$(shasum -a 256 /tmp/asset.tar.gz | cut -d' ' -f1)
              break
            fi
            echo "Attempt $i: HTTP $HTTP_CODE, retrying in 15s..."
            sleep 15
          done
          if [ -z "$SHA" ] || [ ${#SHA} -ne 64 ]; then
            echo "Failed to download release asset"
            exit 1
          fi
          echo "version=$VERSION" >> $GITHUB_OUTPUT
          echo "sha256=$SHA" >> $GITHUB_OUTPUT
 
      - name: Update formula
        run: |
          sed -i 's/version ".*"/version "${{ steps.info.outputs.version }}"/' Formula/mcp-scanner.rb
          sed -i 's|url ".*"|url "https://github.com/cisco-ai-defense/mcp-scanner/releases/download/${{ github.ref_name }}/mcp-scanner-${{ steps.info.outputs.version }}-macos-arm64.tar.gz"|' Formula/mcp-scanner.rb
          sed -i 's/sha256 ".*"/sha256 "${{ steps.info.outputs.sha256 }}"/' Formula/mcp-scanner.rb
 
      - name: Commit and push
        run: |
          git config user.name "github-actions[bot]"
          git config user.email "github-actions[bot]@users.noreply.github.com"
          git add Formula/mcp-scanner.rb
          git diff --staged --quiet && echo "No changes to commit" && exit 0
          git commit -m "Update mcp-scanner to ${{ steps.info.outputs.version }}"
          git push
 

What changed

2 third-party actions are referenced by a movable tag. Pin them to the commit SHA (Latchkey resolves and applies this automatically) so a repointed tag cannot change what runs.

What Latchkey heals here

This workflow has steps that commonly fail on transient issues (network, registries, flaky browsers). On Latchkey managed runners they are detected, retried, and self-healed instead of failing your build:

This workflow runs 2 jobs per trigger. On Latchkey the same minutes cost up to 58% less than GitHub-hosted, with zero queue time.

Actions used in this workflow