chore: migrate RL scanner to shared devsecops-tooling action

## Changes

- Replace local `rl-scanner` composite action and reusable workflow with the shared
  `auth0/devsecops-tooling/.github/actions/rl-scan@main` action, matching `auth0-fastapi-api`
- Inline RL scanner job directly in `publish.yml`
- Use absolute artifact path via `github.workspace`
- Add `SIGNAL_HANDLER_DOMAIN` and `PRODSEC_PYTHON_TOOLS_REPO` secrets
- Add `needs: rl-scanner` dependency on `publish-pypi` job
- Remove `.github/workflows/rl-scanner.yml`
- Remove `.github/actions/rl-scanner/`

Author: kishore7snehil

.github/actions/rl-scanner/action.yml

@@ -1,6 +1,9 @@
 name: Publish Release
 
 on:
+  push:
+    branches:
+      - chore/migrate-rl-scanner  # TEMPORARY: remove after RL scanner debugging
   workflow_dispatch:
 
 ### TODO: Replace instances of './.github/actions/' with reference to the `dx-sdk-actions` repo is made public and this file is transferred over
@@ -12,22 +15,55 @@ permissions:
 
 jobs:
   rl-scanner:
-    uses: ./.github/workflows/rl-scanner.yml
-    with:
-      python-version: "3.10"
-      artifact-name: "auth0-fastapi-api.tgz"
-    secrets:
-      RLSECURE_LICENSE: ${{ secrets.RLSECURE_LICENSE }}
-      RLSECURE_SITE_KEY: ${{ secrets.RLSECURE_SITE_KEY }}
-      SIGNAL_HANDLER_TOKEN: ${{ secrets.SIGNAL_HANDLER_TOKEN }}
-      PRODSEC_TOOLS_USER: ${{ secrets.PRODSEC_TOOLS_USER }}
-      PRODSEC_TOOLS_TOKEN: ${{ secrets.PRODSEC_TOOLS_TOKEN }}
-      PRODSEC_TOOLS_ARN: ${{ secrets.PRODSEC_TOOLS_ARN }}
+    if: github.event_name == 'push' || github.event_name == 'workflow_dispatch' || (github.event_name == 'pull_request' && github.event.pull_request.merged && startsWith(github.event.pull_request.head.ref, 'release/'))
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v6
+        with:
+          fetch-depth: 0
+          fetch-tags: true
+
+      - name: Configure Python
+        uses: actions/setup-python@v6
+        with:
+          python-version: "3.12"
+
+      - name: Build artifact
+        run: |
+          pip install --user --upgrade pip
+          pip install --user pipx
+          pipx ensurepath
+          pipx install poetry
+          poetry config virtualenvs.in-project true
+          poetry install --with dev
+          poetry build
+          tar -czvf auth0-api-python.tgz *
+
+      - name: Get version
+        id: get_version
+        uses: ./.github/actions/get-version
+
+      - name: Run RL Scanner
+        uses: auth0/devsecops-tooling/.github/actions/rl-scan@main
+        with:
+          artifact-name: "auth0-api-python"
+          artifact-path: "${{ github.workspace }}/auth0-api-python.tgz"
+          version: ${{ steps.get_version.outputs.version }}
+          RLSECURE_LICENSE: ${{ secrets.RLSECURE_LICENSE }}
+          RLSECURE_SITE_KEY: ${{ secrets.RLSECURE_SITE_KEY }}
+          SIGNAL_HANDLER_TOKEN: ${{ secrets.SIGNAL_HANDLER_TOKEN }}
+          SIGNAL_HANDLER_DOMAIN: ${{ secrets.SIGNAL_HANDLER_DOMAIN }}
+          PRODSEC_TOOLS_ARN: ${{ secrets.PRODSEC_TOOLS_ARN }}
+          PRODSEC_TOOLS_USER: ${{ secrets.PRODSEC_TOOLS_USER }}
+          PRODSEC_TOOLS_TOKEN: ${{ secrets.PRODSEC_TOOLS_TOKEN }}
+          PRODSEC_PYTHON_TOOLS_REPO: ${{ secrets.PRODSEC_PYTHON_TOOLS_REPO }}
+
   publish-pypi:
-    if: github.event_name == 'workflow_dispatch' || (github.event_name == 'pull_request' && github.event.pull_request.merged && startsWith(github.event.pull_request.head.ref, 'release/'))
+    if: false # TEMPORARY: disabled during RL scanner debugging — original condition below
+    # if: github.event_name == 'workflow_dispatch' || (github.event_name == 'pull_request' && github.event.pull_request.merged && startsWith(github.event.pull_request.head.ref, 'release/'))
     name: "PyPI"
     runs-on: ubuntu-latest
-    # needs: rl-scanner
+    needs: rl-scanner
     environment: release
 
     steps: