chore(ci): add Plugin SDK reply CodeQL quality shard

Adds a focused non-security CodeQL quality shard for Plugin SDK reply/session delivery runtime contracts.
2026-05-06 09:10:45 +00:00 · 2026-04-29 15:56:41 -07:00
parent 6acd588bdd
commit 847d8fa0e1
3 changed files with 74 additions and 3 deletions
--- a/.github/codeql/codeql-plugin-sdk-reply-runtime-critical-quality.yml
+++ b/.github/codeql/codeql-plugin-sdk-reply-runtime-critical-quality.yml
@@ -0,0 +1,44 @@
+name: openclaw-codeql-plugin-sdk-reply-runtime-critical-quality
+
+disable-default-queries: true
+
+queries:
+  - uses: security-and-quality
+
+query-filters:
+  - include:
+      problem.severity:
+        - error
+  - exclude:
+      tags:
+        - security
+
+paths:
+  - src/plugin-sdk/inbound-envelope.ts
+  - src/plugin-sdk/inbound-reply-dispatch.ts
+  - src/plugin-sdk/reply-*.ts
+  - src/plugin-sdk/channel-reply-*.ts
+  - src/plugin-sdk/delivery-queue-runtime.ts
+  - src/plugin-sdk/outbound-runtime.ts
+  - src/plugin-sdk/outbound-send-deps.ts
+  - src/plugin-sdk/model-session-runtime.ts
+  - src/plugin-sdk/session-*.ts
+  - src/plugin-sdk/thread-bindings-runtime.ts
+  - src/plugin-sdk/thread-bindings-session-runtime.ts
+  - src/plugin-sdk/conversation-binding-runtime.ts
+
+paths-ignore:
+  - "**/node_modules"
+  - "**/coverage"
+  - "**/*.generated.ts"
+  - "**/*.bundle.js"
+  - "**/*-runtime.js"
+  - "**/*.test.ts"
+  - "**/*.test.tsx"
+  - "**/*.e2e.test.ts"
+  - "**/*.e2e.test.tsx"
+  - "**/*test-support*"
+  - "**/*test-helper*"
+  - "**/*mock*"
+  - "**/*fixture*"
+  - "**/*bench*"
--- a/.github/workflows/codeql-critical-quality.yml
+++ b/.github/workflows/codeql-critical-quality.yml
@@ -11,6 +11,7 @@ on:
        options:
          - all
          - plugin-sdk-package-contract
+          - plugin-sdk-reply-runtime
          - session-diagnostics-boundary
  schedule:
    - cron: "30 6 * * *"
@@ -204,6 +205,28 @@ jobs:
        with:
          category: "/codeql-critical-quality/session-diagnostics-boundary"

+  plugin-sdk-reply-runtime:
+    name: Critical Quality (plugin-sdk-reply-runtime)
+    if: ${{ github.event_name != 'workflow_dispatch' || inputs.profile == 'all' || inputs.profile == 'plugin-sdk-reply-runtime' }}
+    runs-on: blacksmith-4vcpu-ubuntu-2404
+    timeout-minutes: 25
+    steps:
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          submodules: false
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
+        with:
+          languages: javascript-typescript
+          config-file: ./.github/codeql/codeql-plugin-sdk-reply-runtime-critical-quality.yml
+
+      - name: Analyze
+        uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
+        with:
+          category: "/codeql-critical-quality/plugin-sdk-reply-runtime"
+
  ui-control-plane:
    name: Critical Quality (ui-control-plane)
    if: ${{ github.event_name != 'workflow_dispatch' || inputs.profile == 'all' }}