ci: schedule android codeql shard (#73430)

2026-05-06 05:10:44 +00:00 · 2026-04-28 01:54:57 -07:00
parent 76cd97289b
commit b6a21cde34
4 changed files with 62 additions and 40 deletions
--- a/.github/CODEOWNERS
+++ b/.github/CODEOWNERS
@@ -9,6 +9,7 @@
 /.github/dependabot.yml @openclaw/secops
 /.github/codeql/ @openclaw/secops
 /.github/workflows/codeql.yml @openclaw/secops
+/.github/workflows/codeql-android-critical-security.yml @openclaw/secops
 /.github/workflows/codeql-critical-quality.yml @openclaw/secops
 /src/security/ @openclaw/secops
 /src/secrets/ @openclaw/secops
--- a/.github/workflows/codeql-android-critical-security.yml
+++ b/.github/workflows/codeql-android-critical-security.yml
@@ -0,0 +1,51 @@
+name: CodeQL Android Critical Security
+
+on:
+  workflow_dispatch:
+  schedule:
+    - cron: "0 7 * * *"
+
+concurrency:
+  group: codeql-android-critical-security-${{ github.workflow }}-${{ github.event_name == 'workflow_dispatch' && github.run_id || github.sha }}
+  cancel-in-progress: false
+
+env:
+  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: "true"
+
+permissions:
+  actions: read
+  contents: read
+  security-events: write
+
+jobs:
+  android:
+    name: Critical Security (android)
+    runs-on: blacksmith-8vcpu-ubuntu-2404
+    timeout-minutes: 45
+    steps:
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          submodules: false
+
+      - name: Setup Java
+        uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5
+        with:
+          distribution: temurin
+          java-version: "21"
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
+        with:
+          languages: java-kotlin
+          build-mode: manual
+          config-file: ./.github/codeql/codeql-android-critical-security.yml
+
+      - name: Build Android for CodeQL
+        working-directory: apps/android
+        run: ./gradlew --no-daemon :app:assemblePlayDebug
+
+      - name: Analyze
+        uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
+        with:
+          category: "/codeql-critical-security/android"
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -11,7 +11,6 @@ on:
        options:
          - all
          - security
-          - android-security
          - macos-security
  schedule:
    - cron: "0 6 * * *"
@@ -63,39 +62,6 @@ jobs:
        with:
          category: "/codeql-critical-security/${{ matrix.language }}"

-  android-security:
-    name: Critical Security (android)
-    if: ${{ github.event_name == 'workflow_dispatch' && inputs.profile == 'android-security' }}
-    runs-on: blacksmith-8vcpu-ubuntu-2404
-    timeout-minutes: 45
-    steps:
-      - name: Checkout
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
-        with:
-          submodules: false
-
-      - name: Setup Java
-        uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5
-        with:
-          distribution: temurin
-          java-version: "21"
-
-      - name: Initialize CodeQL
-        uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
-        with:
-          languages: java-kotlin
-          build-mode: manual
-          config-file: ./.github/codeql/codeql-android-critical-security.yml
-
-      - name: Build Android for CodeQL
-        working-directory: apps/android
-        run: ./gradlew --no-daemon :app:assemblePlayDebug
-
-      - name: Analyze
-        uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
-        with:
-          category: "/codeql-critical-security/android"
-
  macos-security:
    name: Critical Security (macOS)
    if: ${{ github.event_name == 'workflow_dispatch' && inputs.profile == 'macos-security' }}
--- a/docs/ci.md
+++ b/docs/ci.md
@@ -230,18 +230,22 @@ or overlapping changed hunks.
 The `CodeQL` workflow is intentionally a narrow first-pass security scanner,
 not the full repository sweep. Daily and manual runs scan Actions workflow code
 plus the highest-risk JavaScript/TypeScript auth, secrets, sandbox, cron, and
-gateway surfaces with high-precision security queries. Android and macOS remain
-manual security shards so their runtime and alert quality can be tracked
-separately.
+gateway surfaces with high-precision security queries. macOS remains a manual
+security shard so its runtime and alert quality can be tracked separately.
+
+The `CodeQL Android Critical Security` workflow is the scheduled Android
+security shard. It builds the Android app manually for CodeQL on the smallest
+Blacksmith Linux runner label accepted by workflow sanity and uploads results
+under the `/codeql-critical-security/android` category.

 The `CodeQL Critical Quality` workflow is the matching non-security shard. It
 runs only error-severity, non-security JavaScript/TypeScript quality queries
 over the same narrow auth, secrets, sandbox, cron, and gateway surface. Keep it
 separate from the security workflow so quality findings can be scheduled,
 measured, disabled, or expanded without obscuring security signal. Swift,
-Android, Python, UI, and bundled-plugin CodeQL expansion should be added back as
-scoped or sharded follow-up work only after the narrow profiles have stable
-runtime and signal.
+Python, UI, and bundled-plugin CodeQL expansion should be added back as scoped
+or sharded follow-up work only after the narrow profiles have stable runtime and
+signal.

 The `Docs Agent` workflow is an event-driven Codex maintenance lane for keeping
 existing docs aligned with recently landed changes. It has no pure schedule: a