vultr/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-05-06 18:50:42 +00:00
Code Issues Packages Projects Releases Wiki Activity

ci: right-size codeql quality runners

Browse Source 
Run CodeQL Critical Quality on 4 vCPU Blacksmith runners.
This commit is contained in:
Vincent Koc
2026-04-28 19:26:45 -07:00
committed by GitHub
parent 13fdeec2cc
commit 09e2cf1103
3 changed files with 11 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
docs/ci.md
View File

@@ -250,8 +250,9 @@ default workflow because the macOS build dominates runtime even when clean.
The `CodeQL Critical Quality` workflow is the matching non-security shard. It
runs only error-severity, non-security JavaScript/TypeScript quality queries
over narrow high-value surfaces. Its baseline job scans the same auth, secrets,
sandbox, cron, and gateway surface as the security workflow. The config-boundary
over narrow high-value surfaces on the smaller Blacksmith Linux runner. Its
baseline job scans the same auth, secrets, sandbox, cron, and gateway surface
as the security workflow. The config-boundary
job scans config schema, migration, normalization, and IO contracts under the
separate `/codeql-critical-quality/config-boundary` category. The
gateway-runtime-boundary job scans gateway protocol schemas and server method
@@ -393,6 +394,7 @@ The automatic CI concurrency key is versioned (`CI-v7-*`) so a GitHub-side zombi
| Runner | Jobs |
| -------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `ubuntu-24.04` | `preflight`, fast security jobs and aggregates (`security-scm-fast`, `security-dependency-audit`, `security-fast`), fast protocol/contract/bundled checks, sharded channel contract checks, `check` shards except lint, `check-additional` shards and aggregates, Node test aggregate verifiers, docs checks, Python skills, workflow-sanity, labeler, auto-response; install-smoke preflight also uses GitHub-hosted Ubuntu so the Blacksmith matrix can queue earlier |
| `blacksmith-4vcpu-ubuntu-2404` | `CodeQL Critical Quality`, lower-weight extension shards, `checks-fast-core`, `checks-node-compat-node22`, `check-prod-types`, and `check-test-types` |
| `blacksmith-8vcpu-ubuntu-2404` | `build-artifacts`, build-smoke, Linux Node test shards, bundled plugin test shards, `android` |
| `blacksmith-16vcpu-ubuntu-2404` | `check-lint`, which remains CPU-sensitive enough that 8 vCPU cost more than it saved; install-smoke Docker builds, where 32-vCPU queue time cost more than it saved |
| `blacksmith-16vcpu-windows-2025` | `checks-windows` |