From dbab162abd95ece516a54ee07877ab24d3f6ff4f Mon Sep 17 00:00:00 2001 From: Vincent Koc Date: Tue, 28 Apr 2026 01:04:59 -0700 Subject: [PATCH] ci: split codeql quality workflow (#73404) --- .github/CODEOWNERS | 1 + .github/workflows/codeql-critical-quality.yml | 40 +++++++++++++++++++ .github/workflows/codeql.yml | 25 +----------- docs/ci.md | 24 ++++++----- 4 files changed, 57 insertions(+), 33 deletions(-) create mode 100644 .github/workflows/codeql-critical-quality.yml diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS index 253888ad7dc..ac7af649a94 100644 --- a/.github/CODEOWNERS +++ b/.github/CODEOWNERS @@ -9,6 +9,7 @@ /.github/dependabot.yml @openclaw/secops /.github/codeql/ @openclaw/secops /.github/workflows/codeql.yml @openclaw/secops +/.github/workflows/codeql-critical-quality.yml @openclaw/secops /src/security/ @openclaw/secops /src/secrets/ @openclaw/secops /src/config/*secret*.ts @openclaw/secops diff --git a/.github/workflows/codeql-critical-quality.yml b/.github/workflows/codeql-critical-quality.yml new file mode 100644 index 00000000000..a7a2e3aeca2 --- /dev/null +++ b/.github/workflows/codeql-critical-quality.yml @@ -0,0 +1,40 @@ +name: CodeQL Critical Quality + +on: + workflow_dispatch: + schedule: + - cron: "30 6 * * *" + +concurrency: + group: codeql-critical-quality-${{ github.workflow }}-${{ github.event_name == 'workflow_dispatch' && github.run_id || github.sha }} + cancel-in-progress: false + +env: + FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: "true" + +permissions: + actions: read + contents: read + security-events: write + +jobs: + javascript-typescript: + name: Critical Quality (javascript-typescript) + runs-on: blacksmith-8vcpu-ubuntu-2404 + timeout-minutes: 25 + steps: + - name: Checkout + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + submodules: false + + - name: Initialize CodeQL + uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4 + with: + languages: javascript-typescript + config-file: ./.github/codeql/codeql-javascript-typescript-critical-quality.yml + + - name: Analyze + uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4 + with: + category: "/codeql-critical-quality/javascript-typescript" diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 029376bbe17..9094c12375e 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -4,14 +4,13 @@ on: workflow_dispatch: inputs: profile: - description: CodeQL profile to run + description: CodeQL security profile to run required: false default: all type: choice options: - all - security - - quality - android-security - macos-security schedule: @@ -64,28 +63,6 @@ jobs: with: category: "/codeql-critical-security/${{ matrix.language }}" - critical-quality: - name: Critical Quality (javascript-typescript) - if: ${{ github.event_name != 'workflow_dispatch' || inputs.profile == 'all' || inputs.profile == 'quality' }} - runs-on: blacksmith-8vcpu-ubuntu-2404 - timeout-minutes: 25 - steps: - - name: Checkout - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - with: - submodules: false - - - name: Initialize CodeQL - uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4 - with: - languages: javascript-typescript - config-file: ./.github/codeql/codeql-javascript-typescript-critical-quality.yml - - - name: Analyze - uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4 - with: - category: "/codeql-critical-quality/javascript-typescript" - android-security: name: Critical Security (android) if: ${{ github.event_name == 'workflow_dispatch' && inputs.profile == 'android-security' }} diff --git a/docs/ci.md b/docs/ci.md index fadaaaba7f1..5fb0234175a 100644 --- a/docs/ci.md +++ b/docs/ci.md @@ -223,15 +223,21 @@ listed PRs when `apply=true`. Before mutating GitHub, it verifies that the landed PR is merged and that each duplicate has either a shared referenced issue or overlapping changed hunks. -The `CodeQL` workflow is intentionally a narrow first-pass scanner, not the -full repository sweep. Daily and manual runs scan Actions workflow code plus the -highest-risk JavaScript/TypeScript auth, secrets, sandbox, cron, and gateway -surfaces. The critical security lane uses high-precision security queries, and -the separate critical quality lane runs only error-severity non-security -queries over the same narrow JavaScript/TypeScript surface. Swift, Android, -Python, UI, and bundled-plugin CodeQL expansion should be added back as scoped -or sharded follow-up work only after the narrow profile has stable runtime and -signal. +The `CodeQL` workflow is intentionally a narrow first-pass security scanner, +not the full repository sweep. Daily and manual runs scan Actions workflow code +plus the highest-risk JavaScript/TypeScript auth, secrets, sandbox, cron, and +gateway surfaces with high-precision security queries. Android and macOS remain +manual security shards so their runtime and alert quality can be tracked +separately. + +The `CodeQL Critical Quality` workflow is the matching non-security shard. It +runs only error-severity, non-security JavaScript/TypeScript quality queries +over the same narrow auth, secrets, sandbox, cron, and gateway surface. Keep it +separate from the security workflow so quality findings can be scheduled, +measured, disabled, or expanded without obscuring security signal. Swift, +Android, Python, UI, and bundled-plugin CodeQL expansion should be added back as +scoped or sharded follow-up work only after the narrow profiles have stable +runtime and signal. The `Docs Agent` workflow is an event-driven Codex maintenance lane for keeping existing docs aligned with recently landed changes. It has no pure schedule: a