fix(ci): add android CodeQL security shard

Add a manual Android CodeQL security shard scoped to app production sources. Verified with profile=android-security on Blacksmith in 4m22s.
2026-05-06 06:20:43 +00:00 · 2026-04-27 12:32:55 -07:00
parent 4cd68fafbb
commit 74eccd42d8
2 changed files with 55 additions and 0 deletions
--- a/.github/codeql/codeql-android-critical-security.yml
+++ b/.github/codeql/codeql-android-critical-security.yml
@@ -0,0 +1,21 @@
+name: openclaw-codeql-android-critical-security
+
+disable-default-queries: true
+
+queries:
+  - uses: security-extended
+
+paths:
+  - apps/android/app/src/main
+
+paths-ignore:
+  - "**/.gradle"
+  - "**/build"
+  - "**/node_modules"
+  - "**/coverage"
+  - "**/*.generated.*"
+  - "**/*Test.kt"
+  - "**/*Test.java"
+  - "**/*Benchmark.kt"
+  - apps/android/app/src/test
+  - apps/android/benchmark
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -12,6 +12,7 @@ on:
          - all
          - security
          - quality
+          - android-security
  schedule:
    - cron: "0 6 * * *"

@@ -83,3 +84,36 @@ jobs:
        uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
        with:
          category: "/codeql-critical-quality/javascript-typescript"
+
+  android-security:
+    name: Critical Security (android)
+    if: ${{ github.event_name == 'workflow_dispatch' && inputs.profile == 'android-security' }}
+    runs-on: blacksmith-8vcpu-ubuntu-2404
+    timeout-minutes: 45
+    steps:
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          submodules: false
+
+      - name: Setup Java
+        uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5
+        with:
+          distribution: temurin
+          java-version: "21"
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
+        with:
+          languages: java-kotlin
+          build-mode: manual
+          config-file: ./.github/codeql/codeql-android-critical-security.yml
+
+      - name: Build Android for CodeQL
+        working-directory: apps/android
+        run: ./gradlew --no-daemon :app:assemblePlayDebug
+
+      - name: Analyze
+        uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
+        with:
+          category: "/codeql-critical-security/android"