chore(ci): add config CodeQL PR quality guard

Adds the config-boundary quality shard to the PR CodeQL guard and documents the expanded eleven-shard PR quality set.
2026-05-06 08:20:43 +00:00 · 2026-04-29 23:15:58 -07:00
parent 6dbaa0a278
commit 423f6df5b1
2 changed files with 14 additions and 3 deletions
--- a/.github/workflows/codeql-critical-quality.yml
+++ b/.github/workflows/codeql-critical-quality.yml
@@ -10,6 +10,7 @@ on:
        type: choice
        options:
          - all
+          - config-boundary
          - core-auth-secrets
          - channel-runtime-boundary
          - gateway-runtime-boundary
@@ -28,6 +29,7 @@ on:
      - "packages/plugin-package-contract/**"
      - "packages/plugin-sdk/**"
      - "packages/memory-host-sdk/**"
+      - "src/config/**"
      - "src/agents/*auth*.ts"
      - "src/agents/**/*auth*.ts"
      - "src/agents/auth-health*.ts"
@@ -101,6 +103,7 @@ jobs:
    timeout-minutes: 5
    outputs:
      channel: ${{ steps.detect.outputs.channel }}
+      config: ${{ steps.detect.outputs.config }}
      core_auth_secrets: ${{ steps.detect.outputs.core_auth_secrets }}
      gateway: ${{ steps.detect.outputs.gateway }}
      memory: ${{ steps.detect.outputs.memory }}
@@ -122,6 +125,7 @@ jobs:
          set -euo pipefail

          channel=false
+          config=false
          core_auth_secrets=false
          gateway=false
          memory=false
@@ -134,6 +138,7 @@ jobs:

          if [[ "${EVENT_NAME}" != "pull_request" ]]; then
            channel=true
+            config=true
            core_auth_secrets=true
            gateway=true
            memory=true
@@ -148,6 +153,7 @@ jobs:
              case "${file}" in
                .github/codeql/*|.github/workflows/codeql-critical-quality.yml)
                  channel=true
+                  config=true
                  core_auth_secrets=true
                  gateway=true
                  memory=true
@@ -164,6 +170,9 @@ jobs:
                src/channels/*)
                  channel=true
                  ;;
+                src/config/*)
+                  config=true
+                  ;;
                src/gateway/protocol/*secret*.ts|src/gateway/server-methods/secrets*.ts)
                  core_auth_secrets=true
                  gateway=true
@@ -224,6 +233,7 @@ jobs:

          {
            echo "channel=${channel}"
+            echo "config=${config}"
            echo "core_auth_secrets=${core_auth_secrets}"
            echo "gateway=${gateway}"
            echo "memory=${memory}"
@@ -260,7 +270,8 @@ jobs:

  config-boundary:
    name: Critical Quality (config-boundary)
-    if: ${{ github.event_name != 'pull_request' && (github.event_name != 'workflow_dispatch' || inputs.profile == 'all') }}
+    needs: quality-shards
+    if: ${{ needs.quality-shards.outputs.config == 'true' && (github.event_name != 'pull_request' || !github.event.pull_request.draft) && (github.event_name == 'pull_request' || github.event_name != 'workflow_dispatch' || inputs.profile == 'all' || inputs.profile == 'config-boundary') }}
    runs-on: blacksmith-4vcpu-ubuntu-2404
    timeout-minutes: 25
    steps:
--- a/docs/ci.md
+++ b/docs/ci.md
@@ -335,12 +335,12 @@ The pull request guard stays light: it only starts for changes under `.github/ac

 ### Critical Quality categories

-`CodeQL Critical Quality` is the matching non-security shard. It runs only error-severity, non-security JavaScript/TypeScript quality queries over narrow high-value surfaces on the smaller Blacksmith Linux runner. Its pull request guard is intentionally smaller than the scheduled profile: non-draft PRs only run the matching `core-auth-secrets`, `channel-runtime-boundary`, `gateway-runtime-boundary`, `memory-runtime-boundary`, `mcp-process-runtime-boundary`, `provider-runtime-boundary`, `session-diagnostics-boundary`, `plugin-boundary`, `plugin-sdk-package-contract`, and `plugin-sdk-reply-runtime` shards for auth/secrets/sandbox/security code, channel runtime, gateway protocol/server-method, memory runtime/SDK glue, MCP/process/outbound delivery, provider runtime/model catalog, session diagnostics/delivery queues, plugin loader, Plugin SDK/package-contract, or Plugin SDK reply runtime changes. CodeQL config and quality workflow changes run all ten PR quality shards.
+`CodeQL Critical Quality` is the matching non-security shard. It runs only error-severity, non-security JavaScript/TypeScript quality queries over narrow high-value surfaces on the smaller Blacksmith Linux runner. Its pull request guard is intentionally smaller than the scheduled profile: non-draft PRs only run the matching `config-boundary`, `core-auth-secrets`, `channel-runtime-boundary`, `gateway-runtime-boundary`, `memory-runtime-boundary`, `mcp-process-runtime-boundary`, `provider-runtime-boundary`, `session-diagnostics-boundary`, `plugin-boundary`, `plugin-sdk-package-contract`, and `plugin-sdk-reply-runtime` shards for config schema/migration/IO code, auth/secrets/sandbox/security code, channel runtime, gateway protocol/server-method, memory runtime/SDK glue, MCP/process/outbound delivery, provider runtime/model catalog, session diagnostics/delivery queues, plugin loader, Plugin SDK/package-contract, or Plugin SDK reply runtime changes. CodeQL config and quality workflow changes run all eleven PR quality shards.

 Manual dispatch accepts:

 ```
-profile=all|core-auth-secrets|channel-runtime-boundary|gateway-runtime-boundary|memory-runtime-boundary|mcp-process-runtime-boundary|plugin-boundary|plugin-sdk-package-contract|plugin-sdk-reply-runtime|provider-runtime-boundary|session-diagnostics-boundary
+profile=all|config-boundary|core-auth-secrets|channel-runtime-boundary|gateway-runtime-boundary|memory-runtime-boundary|mcp-process-runtime-boundary|plugin-boundary|plugin-sdk-package-contract|plugin-sdk-reply-runtime|provider-runtime-boundary|session-diagnostics-boundary
 ```

 The narrow profiles are teaching/iteration hooks for running one quality shard in isolation.