ci: rename codeql quality baseline shard

2026-05-06 06:10:44 +00:00 · 2026-04-28 22:52:55 -07:00
parent bd1d1f0f2b
commit 6186ed2c07
3 changed files with 8 additions and 7 deletions
--- a/.github/codeql/codeql-javascript-typescript-critical-quality.yml
+++ b/.github/codeql/codeql-javascript-typescript-critical-quality.yml
@@ -1,4 +1,4 @@
-name: openclaw-codeql-javascript-typescript-critical-quality
+name: openclaw-codeql-core-auth-secrets-critical-quality

 disable-default-queries: true

--- a/.github/workflows/codeql-critical-quality.yml
+++ b/.github/workflows/codeql-critical-quality.yml
@@ -18,8 +18,8 @@ permissions:
  security-events: write

 jobs:
-  javascript-typescript:
-    name: Critical Quality (javascript-typescript)
+  core-auth-secrets:
+    name: Critical Quality (core-auth-secrets)
    runs-on: blacksmith-4vcpu-ubuntu-2404
    timeout-minutes: 25
    steps:
@@ -32,12 +32,12 @@ jobs:
        uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
        with:
          languages: javascript-typescript
-          config-file: ./.github/codeql/codeql-javascript-typescript-critical-quality.yml
+          config-file: ./.github/codeql/codeql-core-auth-secrets-critical-quality.yml

      - name: Analyze
        uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
        with:
-          category: "/codeql-critical-quality/javascript-typescript"
+          category: "/codeql-critical-quality/core-auth-secrets"

  config-boundary:
    name: Critical Quality (config-boundary)
--- a/docs/ci.md
+++ b/docs/ci.md
@@ -272,8 +272,9 @@ default workflow because the macOS build dominates runtime even when clean.
 The `CodeQL Critical Quality` workflow is the matching non-security shard. It
 runs only error-severity, non-security JavaScript/TypeScript quality queries
 over narrow high-value surfaces on the smaller Blacksmith Linux runner. Its
-baseline job scans the same auth, secrets, sandbox, cron, and gateway surface
-as the security workflow. The config-boundary
+core-auth-secrets job scans auth, secrets, sandbox, cron, and gateway security
+boundary code under the separate `/codeql-critical-quality/core-auth-secrets`
+category. The config-boundary
 job scans config schema, migration, normalization, and IO contracts under the
 separate `/codeql-critical-quality/config-boundary` category. The
 gateway-runtime-boundary job scans gateway protocol schemas and server method