From 4fc0981a5209bea385d4dbaec7276aa9fcd33672 Mon Sep 17 00:00:00 2001 From: Vincent Koc Date: Wed, 29 Apr 2026 22:15:17 -0700 Subject: [PATCH] chore(ci): add process CodeQL PR quality guard Adds the MCP/process runtime quality shard to the PR CodeQL guard and keeps non-security quality analysis path-sharded by surface. --- .github/workflows/codeql-critical-quality.yml | 15 ++++++++++++++- docs/ci.md | 4 ++-- 2 files changed, 16 insertions(+), 3 deletions(-) diff --git a/.github/workflows/codeql-critical-quality.yml b/.github/workflows/codeql-critical-quality.yml index ce941e768ff..95cf927f823 100644 --- a/.github/workflows/codeql-critical-quality.yml +++ b/.github/workflows/codeql-critical-quality.yml @@ -12,6 +12,7 @@ on: - all - channel-runtime-boundary - gateway-runtime-boundary + - mcp-process-runtime-boundary - plugin-boundary - plugin-sdk-package-contract - plugin-sdk-reply-runtime @@ -30,9 +31,12 @@ on: - "src/gateway/server-methods/**" - "src/gateway/server-methods.ts" - "src/gateway/server-methods-list.ts" + - "src/infra/outbound/**" + - "src/mcp/**" - "src/model-catalog/**" - "src/plugin-sdk/**" - "src/plugins/**" + - "src/process/**" schedule: - cron: "30 6 * * *" @@ -57,6 +61,7 @@ jobs: outputs: channel: ${{ steps.detect.outputs.channel }} gateway: ${{ steps.detect.outputs.gateway }} + mcp_process: ${{ steps.detect.outputs.mcp_process }} plugin: ${{ steps.detect.outputs.plugin }} plugin_sdk_package: ${{ steps.detect.outputs.plugin_sdk_package }} provider: ${{ steps.detect.outputs.provider }} @@ -73,6 +78,7 @@ jobs: channel=false gateway=false + mcp_process=false plugin=false plugin_sdk_package=false provider=false @@ -80,6 +86,7 @@ jobs: if [[ "${EVENT_NAME}" != "pull_request" ]]; then channel=true gateway=true + mcp_process=true plugin=true plugin_sdk_package=true provider=true @@ -89,6 +96,7 @@ jobs: .github/codeql/*|.github/workflows/codeql-critical-quality.yml) channel=true gateway=true + mcp_process=true plugin=true plugin_sdk_package=true provider=true @@ -99,6 +107,9 @@ jobs: src/gateway/method-scopes.ts|src/gateway/protocol/*|src/gateway/server-methods/*|src/gateway/server-methods.ts|src/gateway/server-methods-list.ts) gateway=true ;; + src/infra/outbound/*|src/mcp/*|src/process/*) + mcp_process=true + ;; src/plugin-sdk/*) plugin=true plugin_sdk_package=true @@ -123,6 +134,7 @@ jobs: { echo "channel=${channel}" echo "gateway=${gateway}" + echo "mcp_process=${mcp_process}" echo "plugin=${plugin}" echo "plugin_sdk_package=${plugin_sdk_package}" echo "provider=${provider}" @@ -242,7 +254,8 @@ jobs: mcp-process-runtime-boundary: name: Critical Quality (mcp-process-runtime-boundary) - if: ${{ github.event_name != 'pull_request' && (github.event_name != 'workflow_dispatch' || inputs.profile == 'all') }} + needs: quality-shards + if: ${{ needs.quality-shards.outputs.mcp_process == 'true' && (github.event_name != 'pull_request' || !github.event.pull_request.draft) && (github.event_name == 'pull_request' || github.event_name != 'workflow_dispatch' || inputs.profile == 'all' || inputs.profile == 'mcp-process-runtime-boundary') }} runs-on: blacksmith-4vcpu-ubuntu-2404 timeout-minutes: 25 steps: diff --git a/docs/ci.md b/docs/ci.md index 5b8dd765b55..447ed823672 100644 --- a/docs/ci.md +++ b/docs/ci.md @@ -335,12 +335,12 @@ The pull request guard stays light: it only starts for changes under `.github/ac ### Critical Quality categories -`CodeQL Critical Quality` is the matching non-security shard. It runs only error-severity, non-security JavaScript/TypeScript quality queries over narrow high-value surfaces on the smaller Blacksmith Linux runner. Its pull request guard is intentionally smaller than the scheduled profile: non-draft PRs only run the matching `channel-runtime-boundary`, `gateway-runtime-boundary`, `provider-runtime-boundary`, `plugin-boundary`, and `plugin-sdk-package-contract` shards for channel runtime, gateway protocol/server-method, provider runtime/model catalog, plugin loader, Plugin SDK, or package-contract changes. CodeQL config and quality workflow changes run all five PR quality shards. +`CodeQL Critical Quality` is the matching non-security shard. It runs only error-severity, non-security JavaScript/TypeScript quality queries over narrow high-value surfaces on the smaller Blacksmith Linux runner. Its pull request guard is intentionally smaller than the scheduled profile: non-draft PRs only run the matching `channel-runtime-boundary`, `gateway-runtime-boundary`, `mcp-process-runtime-boundary`, `provider-runtime-boundary`, `plugin-boundary`, and `plugin-sdk-package-contract` shards for channel runtime, gateway protocol/server-method, MCP/process/outbound delivery, provider runtime/model catalog, plugin loader, Plugin SDK, or package-contract changes. CodeQL config and quality workflow changes run all six PR quality shards. Manual dispatch accepts: ``` -profile=all|channel-runtime-boundary|gateway-runtime-boundary|plugin-boundary|plugin-sdk-package-contract|plugin-sdk-reply-runtime|provider-runtime-boundary|session-diagnostics-boundary +profile=all|channel-runtime-boundary|gateway-runtime-boundary|mcp-process-runtime-boundary|plugin-boundary|plugin-sdk-package-contract|plugin-sdk-reply-runtime|provider-runtime-boundary|session-diagnostics-boundary ``` The narrow profiles are teaching/iteration hooks for running one quality shard in isolation.