From 1d9f727bfd683954a83eb5d5d08243b8e11a2b73 Mon Sep 17 00:00:00 2001 From: Vincent Koc Date: Wed, 29 Apr 2026 14:09:15 -0700 Subject: [PATCH] chore(ci): rename CodeQL auth security shard --- ...ml => codeql-core-auth-secrets-critical-security.yml} | 2 +- .github/workflows/codeql.yml | 4 ++-- docs/ci.md | 9 +++++---- 3 files changed, 8 insertions(+), 7 deletions(-) rename .github/codeql/{codeql-javascript-typescript-critical-security.yml => codeql-core-auth-secrets-critical-security.yml} (95%) diff --git a/.github/codeql/codeql-javascript-typescript-critical-security.yml b/.github/codeql/codeql-core-auth-secrets-critical-security.yml similarity index 95% rename from .github/codeql/codeql-javascript-typescript-critical-security.yml rename to .github/codeql/codeql-core-auth-secrets-critical-security.yml index 411ea92f447..0d74b8b2724 100644 --- a/.github/codeql/codeql-javascript-typescript-critical-security.yml +++ b/.github/codeql/codeql-core-auth-secrets-critical-security.yml @@ -1,4 +1,4 @@ -name: openclaw-codeql-javascript-typescript-critical-security +name: openclaw-codeql-core-auth-secrets-critical-security disable-default-queries: true diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 6f9170444b3..edd664749fe 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -37,10 +37,10 @@ jobs: matrix: include: - language: javascript-typescript - category: javascript-typescript + category: core-auth-secrets runs_on: blacksmith-8vcpu-ubuntu-2404 timeout_minutes: 25 - config_file: ./.github/codeql/codeql-javascript-typescript-critical-security.yml + config_file: ./.github/codeql/codeql-core-auth-secrets-critical-security.yml - language: javascript-typescript category: channel-runtime-boundary runs_on: blacksmith-8vcpu-ubuntu-2404 diff --git a/docs/ci.md b/docs/ci.md index b55136c6d8c..29850b106bd 100644 --- a/docs/ci.md +++ b/docs/ci.md @@ -258,19 +258,20 @@ or overlapping changed hunks. The `CodeQL` workflow is intentionally a narrow first-pass security scanner, not the full repository sweep. Daily and manual runs scan Actions workflow code plus the highest-risk JavaScript/TypeScript auth, secrets, sandbox, cron, and -gateway surfaces with high-precision security queries. The +gateway surfaces with high-precision security queries under the +`/codeql-critical-security/core-auth-secrets` category. The channel-runtime-boundary job separately scans core channel implementation contracts plus the channel plugin runtime, gateway, Plugin SDK, secrets, and audit touchpoints under the `/codeql-critical-security/channel-runtime-boundary` category so channel security signal can scale without broadening the baseline -JS/TS category. The network-ssrf-boundary job scans core SSRF, IP parsing, +auth/secrets category. The network-ssrf-boundary job scans core SSRF, IP parsing, network guard, web-fetch, and Plugin SDK SSRF policy surfaces under the `/codeql-critical-security/network-ssrf-boundary` category so network trust -boundary signal stays separate from the broader JS/TS security baseline. +boundary signal stays separate from the auth/secrets security baseline. The mcp-process-tool-boundary job scans MCP servers, process execution helpers, outbound delivery, and agent tool-execution gates under the `/codeql-critical-security/mcp-process-tool-boundary` category so command and -tool boundary signal stays separate from both the general JS/TS baseline and +tool boundary signal stays separate from both the auth/secrets baseline and the non-security MCP/process quality shard. The `CodeQL Android Critical Security` workflow is the scheduled Android