feat: better support for more runner types

[tangowithfoxtrot]

🎟️ Tracking

https://bitwarden.atlassian.net/browse/SM-1559

📔 Objective

Switch from a TypeScript Action that relies on our NAPI/WASM packages, to one written in Rust. This enables a few things:

• support for Windows and Linux ARM Runners
• an easier path to deprecating our outdated NAPI bindings
• removes reliance on dependencies from NPM
• easier local testing (we can just execute the sm-action)
• because the Rust Action doesn’t rely on GitHub-specific capabilities, there is potential to adapt and share this codebase with other CI/CD platforms that allow for secure third-party secrets management

Switching to a Rust-based Action does introduce some challenges. We will now need compiled binaries for the various Runner types (Linux, macOS, Windows, ARM64 and x86_64), so we also need a workflow that builds and releases the binaries so they can be downloaded at runtime, rather than being built from source every time our Action is invoked.

There is a fallback mode that will build the sm-action binaries from source at runtime in the event that they can't be downloaded from GitHub Releases (in something like an API degradation scenario). This is a highly unideal edge case because compiling at runtime would take ~5-6 minutes, but it seems highly unlikely that users would get a successful workflow run if GH APIs are degraded anyway. Still, I left the fallback mode there because it also makes local dev easy.

📸 Screenshots

⏰ Reminders before review

• Contributor guidelines followed
• All formatters and local linters executed and passed
• Written new unit and / or integration tests where applicable
• Protected functional changes with optionality (feature flags)
• Used internationalization (i18n) for all UI strings
• CI builds passed
• Communicated to DevOps any deployment requirements
• Updated any necessary documentation (Confluence, contributing docs) or informed the documentation team

🦮 Reviewer guidelines

• 👍 (:+1:) or similar for great changes
• 📝 (:memo:) or ℹ️ (:information_source:) for notes or general info
• ❓ (:question:) for questions
• 🤔 (:thinking:) or 💭 (:thought_balloon:) for more open inquiry that's not quite a confirmed issue and could potentially benefit from discussion
• 🎨 (:art:) for suggestions / improvements
• ❌ (:x:) or ⚠️ (:warning:) for more significant problems or concerns needing attention
• 🌱 (:seedling:) or ♻️ (:recycle:) for future improvements or indications of technical debt
• ⛏ (:pick:) for minor or nitpick changes

[github-actions]

Checkmarx One – Scan Summary & Details – 69ea3061-9e34-4663-8ab3-4ee738f8f73d

Fixed Issues (7)

Great job! The following issues were fixed in this Pull Request

Severity	Issue	Source File / Package
	CVE-2024-21538	Npm-cross-spawn-7.0.3
	Cxdca8e59f-8bfe	Npm-inflight-1.0.6
	CVE-2025-22150	Npm-undici-5.28.4
	CVE-2025-27789	Npm-@babel/helpers-7.25.0
	CVE-2025-47279	Npm-undici-5.28.4
	CVE-2025-5889	Npm-brace-expansion-1.1.11
	Cx8bc4df28-fcf5	Npm-debug-4.3.6

[sonarqubecloud]

Quality Gate passed

Issues
1 New issue
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[sonarqubecloud]

Quality Gate failed

Failed conditions
6 Security Hotspots

See analysis details on SonarQube Cloud

[justindbaur]

Just a few things 😺

[justindbaur]

One tiny thing but otherwise looks great.

[justindbaur]

Actually shouldn't need these anymore! (another one below)

[tangowithfoxtrot]

Good catch! Fixed in 2666508.

[justindbaur]

🚀