From 2c2a2403449f9e3ef777a399bb60e51c91a86f3b Mon Sep 17 00:00:00 2001
From: Vincent Koc <vincentkoc@ieee.org>
Date: Mon, 27 Apr 2026 14:37:29 -0700
Subject: [PATCH] fix(ci): filter macOS CodeQL dependency SARIF

Filter SwiftPM dependency build results from the manual macOS CodeQL shard before upload. Verified with workflow sanity, local jq filtering, and profile=macos-security branch proof in 15m54s. PR CI has the same unrelated extensions/memory-core timeout failure currently present on main.
---
 .github/workflows/codeql.yml | 36 ++++++++++++++++++++++++++++++++++++
 1 file changed, 36 insertions(+)

diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index 99fe9c152b6..29c62fd4b6d 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -147,6 +147,42 @@ jobs:
         run: swift build --package-path apps/macos --product OpenClaw
 
       - name: Analyze
+        id: analyze
         uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
         with:
+          output: sarif-results
+          upload: failure-only
+          category: "/codeql-critical-security/macos"
+
+      - name: Remove dependency build results
+        env:
+          SARIF_OUTPUT: ${{ steps.analyze.outputs.sarif-output }}
+        run: |
+          set -euo pipefail
+          mkdir -p sarif-results-filtered
+
+          found=0
+          for file in "$SARIF_OUTPUT"/*.sarif; do
+            if [ ! -e "$file" ]; then
+              continue
+            fi
+
+            found=1
+            jq '
+              def in_dependency_build:
+                any(.locations[]?; (.physicalLocation.artifactLocation.uri? // "") | test("(^|/)\\.build/"));
+
+              .runs |= map(.results = ((.results // []) | map(select(in_dependency_build | not))))
+            ' "$file" > "sarif-results-filtered/$(basename "$file")"
+          done
+
+          if [ "$found" -eq 0 ]; then
+            echo "No SARIF files found in $SARIF_OUTPUT" >&2
+            exit 1
+          fi
+
+      - name: Upload filtered SARIF
+        uses: github/codeql-action/upload-sarif@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
+        with:
+          sarif_file: sarif-results-filtered
           category: "/codeql-critical-security/macos"