Build macOS Binary workflow (cisco-ai-defense/mcp-scanner)
The Build macOS Binary workflow from cisco-ai-defense/mcp-scanner, explained and optimized by Latchkey.
CI health: B - good
Point runs-on at Latchkey and get job timeouts, SHA-pinned actions, self-healing for flaky steps, and up to 58% lower cost, applied automatically.
What it does
This is the Build macOS Binary workflow from the cisco-ai-defense/mcp-scanner repository, a real project running GitHub Actions. It is shown here with attribution under its Apache-2.0 license.
Below, Latchkey shows a faster, safer version produced by its optimization engine.
The workflow
name: Build macOS Binary
on:
release:
types: [published]
permissions:
contents: write
jobs:
build-macos:
runs-on: macos-14
steps:
- uses: actions/checkout@v4
- name: Install uv
uses: astral-sh/setup-uv@v6
- name: Install Python
run: uv python install 3.13
- name: Install dependencies
run: uv sync
- name: Install PyInstaller
run: uv pip install pyinstaller
- name: Fix yara-python OpenSSL dylib
run: |
YARA_DYLIBS=$(find .venv -path "*/yara_python.dylibs" -type d 2>/dev/null | head -1)
if [ -n "$YARA_DYLIBS" ] && [ -f "$YARA_DYLIBS/libcrypto.3.dylib" ]; then
BREW_LIBCRYPTO=$(brew --prefix openssl@3)/lib/libcrypto.3.dylib
if [ -f "$BREW_LIBCRYPTO" ]; then
echo "Replacing yara-python libcrypto with Homebrew version"
cp "$BREW_LIBCRYPTO" "$YARA_DYLIBS/libcrypto.3.dylib"
else
echo "Warning: Homebrew libcrypto.3.dylib not found"
fi
else
echo "Warning: yara_python.dylibs not found"
fi
- name: Build binary
run: uv run pyinstaller mcp-scanner.spec --clean --noconfirm
- name: Smoke test
run: ./dist/mcp-scanner --help
- name: Get version
id: version
run: echo "version=${GITHUB_REF_NAME#v}" >> $GITHUB_OUTPUT
- name: Create archive
run: >
tar -czf mcp-scanner-${{ steps.version.outputs.version }}-macos-arm64.tar.gz
-C dist mcp-scanner
- name: Upload to release
uses: softprops/action-gh-release@v2
with:
files: "mcp-scanner-*-macos-arm64.tar.gz"
update-homebrew:
needs: build-macos
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
repository: cisco-ai-defense/homebrew-ai-defense
token: ${{ secrets.HOMEBREW_TAP_TOKEN }}
- name: Get version and SHA
id: info
run: |
VERSION="${GITHUB_REF_NAME#v}"
URL="https://github.com/cisco-ai-defense/mcp-scanner/releases/download/${GITHUB_REF_NAME}/mcp-scanner-${VERSION}-macos-arm64.tar.gz"
for i in $(seq 1 10); do
HTTP_CODE=$(curl -sL -o /tmp/asset.tar.gz -w "%{http_code}" "$URL")
if [ "$HTTP_CODE" = "200" ]; then
SHA=$(shasum -a 256 /tmp/asset.tar.gz | cut -d' ' -f1)
break
fi
echo "Attempt $i: HTTP $HTTP_CODE, retrying in 15s..."
sleep 15
done
if [ -z "$SHA" ] || [ ${#SHA} -ne 64 ]; then
echo "Failed to download release asset"
exit 1
fi
echo "version=$VERSION" >> $GITHUB_OUTPUT
echo "sha256=$SHA" >> $GITHUB_OUTPUT
- name: Update formula
run: |
sed -i 's/version ".*"/version "${{ steps.info.outputs.version }}"/' Formula/mcp-scanner.rb
sed -i 's|url ".*"|url "https://github.com/cisco-ai-defense/mcp-scanner/releases/download/${{ github.ref_name }}/mcp-scanner-${{ steps.info.outputs.version }}-macos-arm64.tar.gz"|' Formula/mcp-scanner.rb
sed -i 's/sha256 ".*"/sha256 "${{ steps.info.outputs.sha256 }}"/' Formula/mcp-scanner.rb
- name: Commit and push
run: |
git config user.name "github-actions[bot]"
git config user.email "github-actions[bot]@users.noreply.github.com"
git add Formula/mcp-scanner.rb
git diff --staged --quiet && echo "No changes to commit" && exit 0
git commit -m "Update mcp-scanner to ${{ steps.info.outputs.version }}"
git push
The same workflow, on Latchkey
Removes redundant runs and caps runaway jobs. Added and changed lines are highlighted.
name: Build macOS Binary on: release: types: [published] permissions: contents: write jobs: build-macos: timeout-minutes: 30 runs-on: macos-14 steps: - uses: actions/checkout@v4 - name: Install uv uses: astral-sh/setup-uv@v6 - name: Install Python run: uv python install 3.13 - name: Install dependencies run: uv sync - name: Install PyInstaller run: uv pip install pyinstaller - name: Fix yara-python OpenSSL dylib run: | YARA_DYLIBS=$(find .venv -path "*/yara_python.dylibs" -type d 2>/dev/null | head -1) if [ -n "$YARA_DYLIBS" ] && [ -f "$YARA_DYLIBS/libcrypto.3.dylib" ]; then BREW_LIBCRYPTO=$(brew --prefix openssl@3)/lib/libcrypto.3.dylib if [ -f "$BREW_LIBCRYPTO" ]; then echo "Replacing yara-python libcrypto with Homebrew version" cp "$BREW_LIBCRYPTO" "$YARA_DYLIBS/libcrypto.3.dylib" else echo "Warning: Homebrew libcrypto.3.dylib not found" fi else echo "Warning: yara_python.dylibs not found" fi - name: Build binary run: uv run pyinstaller mcp-scanner.spec --clean --noconfirm - name: Smoke test run: ./dist/mcp-scanner --help - name: Get version id: version run: echo "version=${GITHUB_REF_NAME#v}" >> $GITHUB_OUTPUT - name: Create archive run: > tar -czf mcp-scanner-${{ steps.version.outputs.version }}-macos-arm64.tar.gz -C dist mcp-scanner - name: Upload to release uses: softprops/action-gh-release@v2 with: files: "mcp-scanner-*-macos-arm64.tar.gz" update-homebrew: timeout-minutes: 30 needs: build-macos runs-on: latchkey-small steps: - uses: actions/checkout@v4 with: repository: cisco-ai-defense/homebrew-ai-defense token: ${{ secrets.HOMEBREW_TAP_TOKEN }} - name: Get version and SHA id: info run: | VERSION="${GITHUB_REF_NAME#v}" URL="https://github.com/cisco-ai-defense/mcp-scanner/releases/download/${GITHUB_REF_NAME}/mcp-scanner-${VERSION}-macos-arm64.tar.gz" for i in $(seq 1 10); do HTTP_CODE=$(curl -sL -o /tmp/asset.tar.gz -w "%{http_code}" "$URL") if [ "$HTTP_CODE" = "200" ]; then SHA=$(shasum -a 256 /tmp/asset.tar.gz | cut -d' ' -f1) break fi echo "Attempt $i: HTTP $HTTP_CODE, retrying in 15s..." sleep 15 done if [ -z "$SHA" ] || [ ${#SHA} -ne 64 ]; then echo "Failed to download release asset" exit 1 fi echo "version=$VERSION" >> $GITHUB_OUTPUT echo "sha256=$SHA" >> $GITHUB_OUTPUT - name: Update formula run: | sed -i 's/version ".*"/version "${{ steps.info.outputs.version }}"/' Formula/mcp-scanner.rb sed -i 's|url ".*"|url "https://github.com/cisco-ai-defense/mcp-scanner/releases/download/${{ github.ref_name }}/mcp-scanner-${{ steps.info.outputs.version }}-macos-arm64.tar.gz"|' Formula/mcp-scanner.rb sed -i 's/sha256 ".*"/sha256 "${{ steps.info.outputs.sha256 }}"/' Formula/mcp-scanner.rb - name: Commit and push run: | git config user.name "github-actions[bot]" git config user.email "github-actions[bot]@users.noreply.github.com" git add Formula/mcp-scanner.rb git diff --staged --quiet && echo "No changes to commit" && exit 0 git commit -m "Update mcp-scanner to ${{ steps.info.outputs.version }}" git push
What changed
- Run on Latchkey managed runners with one line (
runs-on), which apply the fixes below automatically and self-heal transient failures. This example useslatchkey-small; pick the runner size that fits the job. - Add a job timeout so a hung step cannot burn hours of runner time.
2 third-party actions are referenced by a movable tag. Pin them to the commit SHA (Latchkey resolves and applies this automatically) so a repointed tag cannot change what runs.
What Latchkey heals here
This workflow has steps that commonly fail on transient issues (network, registries, flaky browsers). On Latchkey managed runners they are detected, retried, and self-healed instead of failing your build:
- Dependency installs
This workflow runs 2 jobs per trigger. On Latchkey the same minutes cost up to 58% less than GitHub-hosted, with zero queue time.