vultr/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-05-06 11:40:42 +00:00
Code Issues Packages Projects Releases Wiki Activity

chore(ci): add CodeQL PR security guard

Browse Source 
Runs the narrow CodeQL critical-security matrix on non-draft pull requests for code and workflow security-boundary changes.
This commit is contained in:
Vincent Koc
2026-04-29 19:19:45 -07:00
committed by GitHub
parent 35264ca034
commit 8aed80d2fa
2 changed files with 19 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
.github/workflows/codeql.yml vendored
View File

@@ -11,12 +11,20 @@ on:
options:
- all
- security
pull_request:
types: [opened, synchronize, reopened, ready_for_review]
paths:
- ".github/actions/**"
- ".github/codeql/**"
- ".github/workflows/**"
- "packages/**"
- "src/**"
schedule:
- cron: "0 6 * * *"
concurrency:
group: codeql-${{ github.workflow }}-${{ github.event_name == 'workflow_dispatch' && github.run_id || github.sha }}
cancel-in-progress: false
group: codeql-${{ github.workflow }}-${{ github.event_name == 'workflow_dispatch' && github.run_id || github.event_name == 'pull_request' && github.event.pull_request.number || github.sha }}
cancel-in-progress: ${{ github.event_name == 'pull_request' }}
env:
FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: "true"
@@ -29,7 +37,7 @@ permissions:
jobs:
critical-security:
name: Critical Security (${{ matrix.category }})
if: ${{ github.event_name != 'workflow_dispatch' || inputs.profile == 'all' || inputs.profile == 'security' }}
if: ${{ (github.event_name != 'pull_request' || !github.event.pull_request.draft) && (github.event_name != 'workflow_dispatch' || inputs.profile == 'all' || inputs.profile == 'security') }}
runs-on: ${{ matrix.runs_on }}
timeout-minutes: ${{ matrix.timeout_minutes }}
strategy: