chore(ci): add plugin SDK reply CodeQL PR guard

Adds the Plugin SDK reply runtime quality shard to the PR CodeQL guard while keeping reply runtime changes on the existing plugin and package-contract shards.
2026-05-06 09:10:45 +00:00 · 2026-04-29 22:43:24 -07:00
parent 897ca6abbb
commit c500b26bb6
2 changed files with 13 additions and 2 deletions
--- a/.github/workflows/codeql-critical-quality.yml
+++ b/.github/workflows/codeql-critical-quality.yml
@@ -74,6 +74,7 @@ jobs:
      mcp_process: ${{ steps.detect.outputs.mcp_process }}
      plugin: ${{ steps.detect.outputs.plugin }}
      plugin_sdk_package: ${{ steps.detect.outputs.plugin_sdk_package }}
+      plugin_sdk_reply: ${{ steps.detect.outputs.plugin_sdk_reply }}
      provider: ${{ steps.detect.outputs.provider }}
      session_diagnostics: ${{ steps.detect.outputs.session_diagnostics }}
    steps:
@@ -92,6 +93,7 @@ jobs:
          mcp_process=false
          plugin=false
          plugin_sdk_package=false
+          plugin_sdk_reply=false
          provider=false
          session_diagnostics=false

@@ -101,6 +103,7 @@ jobs:
            mcp_process=true
            plugin=true
            plugin_sdk_package=true
+            plugin_sdk_reply=true
            provider=true
            session_diagnostics=true
          else
@@ -112,6 +115,7 @@ jobs:
                  mcp_process=true
                  plugin=true
                  plugin_sdk_package=true
+                  plugin_sdk_reply=true
                  provider=true
                  session_diagnostics=true
                  ;;
@@ -131,6 +135,11 @@ jobs:
                src/infra/outbound/*|src/mcp/*|src/process/*)
                  mcp_process=true
                  ;;
+                src/plugin-sdk/inbound-envelope.ts|src/plugin-sdk/inbound-reply-dispatch.ts|src/plugin-sdk/reply-*.ts|src/plugin-sdk/channel-reply-*.ts|src/plugin-sdk/delivery-queue-runtime.ts|src/plugin-sdk/outbound-runtime.ts|src/plugin-sdk/outbound-send-deps.ts|src/plugin-sdk/model-session-runtime.ts|src/plugin-sdk/session-*.ts|src/plugin-sdk/thread-bindings-runtime.ts|src/plugin-sdk/thread-bindings-session-runtime.ts|src/plugin-sdk/conversation-binding-runtime.ts)
+                  plugin=true
+                  plugin_sdk_package=true
+                  plugin_sdk_reply=true
+                  ;;
                src/plugin-sdk/*)
                  plugin=true
                  plugin_sdk_package=true
@@ -158,6 +167,7 @@ jobs:
            echo "mcp_process=${mcp_process}"
            echo "plugin=${plugin}"
            echo "plugin_sdk_package=${plugin_sdk_package}"
+            echo "plugin_sdk_reply=${plugin_sdk_reply}"
            echo "provider=${provider}"
            echo "session_diagnostics=${session_diagnostics}"
          } >> "${GITHUB_OUTPUT}"
@@ -344,7 +354,8 @@ jobs:

  plugin-sdk-reply-runtime:
    name: Critical Quality (plugin-sdk-reply-runtime)
-    if: ${{ github.event_name != 'pull_request' && (github.event_name != 'workflow_dispatch' || inputs.profile == 'all' || inputs.profile == 'plugin-sdk-reply-runtime') }}
+    needs: quality-shards
+    if: ${{ needs.quality-shards.outputs.plugin_sdk_reply == 'true' && (github.event_name != 'pull_request' || !github.event.pull_request.draft) && (github.event_name == 'pull_request' || github.event_name != 'workflow_dispatch' || inputs.profile == 'all' || inputs.profile == 'plugin-sdk-reply-runtime') }}
    runs-on: blacksmith-4vcpu-ubuntu-2404
    timeout-minutes: 25
    steps:
--- a/docs/ci.md
+++ b/docs/ci.md
@@ -335,7 +335,7 @@ The pull request guard stays light: it only starts for changes under `.github/ac

 ### Critical Quality categories

-`CodeQL Critical Quality` is the matching non-security shard. It runs only error-severity, non-security JavaScript/TypeScript quality queries over narrow high-value surfaces on the smaller Blacksmith Linux runner. Its pull request guard is intentionally smaller than the scheduled profile: non-draft PRs only run the matching `channel-runtime-boundary`, `gateway-runtime-boundary`, `mcp-process-runtime-boundary`, `provider-runtime-boundary`, `session-diagnostics-boundary`, `plugin-boundary`, and `plugin-sdk-package-contract` shards for channel runtime, gateway protocol/server-method, MCP/process/outbound delivery, provider runtime/model catalog, session diagnostics/delivery queues, plugin loader, Plugin SDK, or package-contract changes. CodeQL config and quality workflow changes run all seven PR quality shards.
+`CodeQL Critical Quality` is the matching non-security shard. It runs only error-severity, non-security JavaScript/TypeScript quality queries over narrow high-value surfaces on the smaller Blacksmith Linux runner. Its pull request guard is intentionally smaller than the scheduled profile: non-draft PRs only run the matching `channel-runtime-boundary`, `gateway-runtime-boundary`, `mcp-process-runtime-boundary`, `provider-runtime-boundary`, `session-diagnostics-boundary`, `plugin-boundary`, `plugin-sdk-package-contract`, and `plugin-sdk-reply-runtime` shards for channel runtime, gateway protocol/server-method, MCP/process/outbound delivery, provider runtime/model catalog, session diagnostics/delivery queues, plugin loader, Plugin SDK/package-contract, or Plugin SDK reply runtime changes. CodeQL config and quality workflow changes run all eight PR quality shards.

 Manual dispatch accepts: