chore(ci): widen CodeQL PR guard

Runs the PR CodeQL security guard as high-confidence high/critical security coverage and adds the initial plugin/package-contract quality guard.
2026-05-06 12:00:44 +00:00 · 2026-04-29 20:06:50 -07:00
parent 8672737f81
commit 6e73101df3
9 changed files with 69 additions and 52 deletions
--- a/.github/codeql/codeql-channel-runtime-boundary-critical-security.yml
+++ b/.github/codeql/codeql-channel-runtime-boundary-critical-security.yml
@@ -10,10 +10,8 @@ query-filters:
      precision:
        - high
        - very-high
-  - exclude:
-      problem.severity:
-        - recommendation
-        - warning
+      tags contain: security
+      security-severity: /([7-9]|10)\.(\d)+/

 paths:
  - src/channels