vultr/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-05-06 19:50:43 +00:00
Code Issues Packages Projects Releases Wiki Activity

chore(ci): add provider runtime CodeQL quality shard

Browse Source 
Adds a focused non-security CodeQL quality shard for provider runtime and model catalog contracts.
This commit is contained in:
Vincent Koc
2026-04-29 16:15:38 -07:00
committed by GitHub
parent 6662dcf209
commit 845dd2a7d5
3 changed files with 72 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

44
.github/codeql/codeql-provider-runtime-boundary-critical-quality.yml vendored Normal file
View File

@@ -0,0 +1,44 @@
name: openclaw-codeql-provider-runtime-boundary-critical-quality
disable-default-queries: true
queries:
- uses: security-and-quality
query-filters:
- include:
problem.severity:
- error
- exclude:
tags:
- security
paths:
- src/model-catalog
- src/plugins/provider-*.ts
- src/plugins/providers*.ts
- src/plugins/*provider*.ts
- src/plugins/capability-provider-runtime.ts
- src/plugins/compaction-provider.ts
- src/plugins/memory-embedding-provider*.ts
- src/plugins/memory-embedding-providers*.ts
- src/plugins/migration-provider-runtime.ts
- src/plugins/synthetic-auth.runtime.ts
- src/plugins/web-fetch-providers*.ts
- src/plugins/web-search-providers*.ts
paths-ignore:
- "**/node_modules"
- "**/coverage"
- "**/*.generated.ts"
- "**/*.bundle.js"
- "**/*-runtime.js"
- "**/*.test.ts"
- "**/*.test.tsx"
- "**/*.e2e.test.ts"
- "**/*.e2e.test.tsx"
- "**/*test-support*"
- "**/*test-helper*"
- "**/*mock*"
- "**/*fixture*"
- "**/*bench*"

23
.github/workflows/codeql-critical-quality.yml vendored
View File

@@ -12,6 +12,7 @@ on:
- all - all
- plugin-sdk-package-contract - plugin-sdk-package-contract
- plugin-sdk-reply-runtime - plugin-sdk-reply-runtime
- provider-runtime-boundary
- session-diagnostics-boundary - session-diagnostics-boundary
schedule: schedule:
- cron: "30 6 * * *" - cron: "30 6 * * *"
@@ -227,6 +228,28 @@ jobs:
with: with:
category: "/codeql-critical-quality/plugin-sdk-reply-runtime" category: "/codeql-critical-quality/plugin-sdk-reply-runtime"
provider-runtime-boundary:
name: Critical Quality (provider-runtime-boundary)
if: ${{ github.event_name != 'workflow_dispatch' || inputs.profile == 'all' || inputs.profile == 'provider-runtime-boundary' }}
runs-on: blacksmith-4vcpu-ubuntu-2404
timeout-minutes: 25
steps:
- name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
with:
submodules: false
- name: Initialize CodeQL
uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
with:
languages: javascript-typescript
config-file: ./.github/codeql/codeql-provider-runtime-boundary-critical-quality.yml
- name: Analyze
uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
with:
category: "/codeql-critical-quality/provider-runtime-boundary"
ui-control-plane: ui-control-plane:
name: Critical Quality (ui-control-plane) name: Critical Quality (ui-control-plane)
if: ${{ github.event_name != 'workflow_dispatch' || inputs.profile == 'all' }} if: ${{ github.event_name != 'workflow_dispatch' || inputs.profile == 'all' }}

6
docs/ci.md
View File

@@ -294,7 +294,7 @@ The `CodeQL Critical Quality` workflow is the matching non-security shard. It
runs only error-severity, non-security JavaScript/TypeScript quality queries runs only error-severity, non-security JavaScript/TypeScript quality queries
over narrow high-value surfaces on the smaller Blacksmith Linux runner. Its over narrow high-value surfaces on the smaller Blacksmith Linux runner. Its
manual dispatch accepts manual dispatch accepts
`profile=all|plugin-sdk-package-contract|plugin-sdk-reply-runtime|session-diagnostics-boundary`; `profile=all|plugin-sdk-package-contract|plugin-sdk-reply-runtime|provider-runtime-boundary|session-diagnostics-boundary`;
the narrow profiles are teaching/iteration hooks for running one quality shard the narrow profiles are teaching/iteration hooks for running one quality shard
in isolation without dispatching the rest of the workflow. in isolation without dispatching the rest of the workflow.
Its Its
@@ -325,6 +325,10 @@ plugin-sdk-reply-runtime job scans Plugin SDK inbound reply dispatch, reply
payload/chunking/runtime helpers, channel reply options, delivery queues, and payload/chunking/runtime helpers, channel reply options, delivery queues, and
session/thread binding helpers under the separate session/thread binding helpers under the separate
`/codeql-critical-quality/plugin-sdk-reply-runtime` category. The `/codeql-critical-quality/plugin-sdk-reply-runtime` category. The
provider-runtime-boundary job scans model catalog normalization, provider auth
and discovery, provider runtime registration, provider defaults/catalogs, and
web/search/fetch/embedding provider registries under the separate
`/codeql-critical-quality/provider-runtime-boundary` category. The
ui-control-plane job scans Control UI bootstrap, local persistence, gateway ui-control-plane job scans Control UI bootstrap, local persistence, gateway
control flows, and task control-plane runtime contracts under the separate control flows, and task control-plane runtime contracts under the separate
`/codeql-critical-quality/ui-control-plane` category. The `/codeql-critical-quality/ui-control-plane` category. The