From e0c75cd0bd22c0cbd1b1727204bd69212bf34ea5 Mon Sep 17 00:00:00 2001 From: Vincent Koc Date: Wed, 29 Apr 2026 23:28:18 -0700 Subject: [PATCH] chore(ci): cover bundled channels in CodeQL PR guard Extends the channel CodeQL quality shard to bundled channel plugin source directories and documents the scoped PR guard coverage. --- ...nnel-runtime-boundary-critical-quality.yml | 23 +++++++++++++++++ .github/workflows/codeql-critical-quality.yml | 25 ++++++++++++++++++- docs/ci.md | 4 +-- 3 files changed, 49 insertions(+), 3 deletions(-) diff --git a/.github/codeql/codeql-channel-runtime-boundary-critical-quality.yml b/.github/codeql/codeql-channel-runtime-boundary-critical-quality.yml index d1babbc8cae..087d3472865 100644 --- a/.github/codeql/codeql-channel-runtime-boundary-critical-quality.yml +++ b/.github/codeql/codeql-channel-runtime-boundary-critical-quality.yml @@ -14,6 +14,29 @@ query-filters: - security paths: + - extensions/bluebubbles/src + - extensions/discord/src + - extensions/feishu/src + - extensions/googlechat/src + - extensions/imessage/src + - extensions/irc/src + - extensions/line/src + - extensions/matrix/src + - extensions/mattermost/src + - extensions/msteams/src + - extensions/nextcloud-talk/src + - extensions/nostr/src + - extensions/qa-channel/src + - extensions/qqbot/src + - extensions/signal/src + - extensions/slack/src + - extensions/synology-chat/src + - extensions/telegram/src + - extensions/tlon/src + - extensions/twitch/src + - extensions/whatsapp/src + - extensions/zalo/src + - extensions/zalouser/src - src/channels paths-ignore: diff --git a/.github/workflows/codeql-critical-quality.yml b/.github/workflows/codeql-critical-quality.yml index 5649878a53d..25e141938a1 100644 --- a/.github/workflows/codeql-critical-quality.yml +++ b/.github/workflows/codeql-critical-quality.yml @@ -30,6 +30,29 @@ on: - "packages/plugin-sdk/**" - "packages/memory-host-sdk/**" - "src/config/**" + - "extensions/bluebubbles/src/**" + - "extensions/discord/src/**" + - "extensions/feishu/src/**" + - "extensions/googlechat/src/**" + - "extensions/imessage/src/**" + - "extensions/irc/src/**" + - "extensions/line/src/**" + - "extensions/matrix/src/**" + - "extensions/mattermost/src/**" + - "extensions/msteams/src/**" + - "extensions/nextcloud-talk/src/**" + - "extensions/nostr/src/**" + - "extensions/qa-channel/src/**" + - "extensions/qqbot/src/**" + - "extensions/signal/src/**" + - "extensions/slack/src/**" + - "extensions/synology-chat/src/**" + - "extensions/telegram/src/**" + - "extensions/tlon/src/**" + - "extensions/twitch/src/**" + - "extensions/whatsapp/src/**" + - "extensions/zalo/src/**" + - "extensions/zalouser/src/**" - "src/agents/*auth*.ts" - "src/agents/**/*auth*.ts" - "src/agents/auth-health*.ts" @@ -167,7 +190,7 @@ jobs: src/auto-reply/reply/post-compaction-context.ts|src/auto-reply/reply/queue/*|src/auto-reply/reply/startup-context.ts|src/commands/doctor-session-*.ts|src/commands/session-store-targets.ts|src/commands/sessions*.ts|src/infra/diagnostic-*.ts|src/infra/diagnostics-timeline.ts|src/infra/session-delivery-queue*.ts|src/logging/diagnostic*.ts) session_diagnostics=true ;; - src/channels/*) + extensions/bluebubbles/src/*|extensions/discord/src/*|extensions/feishu/src/*|extensions/googlechat/src/*|extensions/imessage/src/*|extensions/irc/src/*|extensions/line/src/*|extensions/matrix/src/*|extensions/mattermost/src/*|extensions/msteams/src/*|extensions/nextcloud-talk/src/*|extensions/nostr/src/*|extensions/qa-channel/src/*|extensions/qqbot/src/*|extensions/signal/src/*|extensions/slack/src/*|extensions/synology-chat/src/*|extensions/telegram/src/*|extensions/tlon/src/*|extensions/twitch/src/*|extensions/whatsapp/src/*|extensions/zalo/src/*|extensions/zalouser/src/*|src/channels/*) channel=true ;; src/config/*) diff --git a/docs/ci.md b/docs/ci.md index 6f50f89fe5f..255c7a82228 100644 --- a/docs/ci.md +++ b/docs/ci.md @@ -335,7 +335,7 @@ The pull request guard stays light: it only starts for changes under `.github/ac ### Critical Quality categories -`CodeQL Critical Quality` is the matching non-security shard. It runs only error-severity, non-security JavaScript/TypeScript quality queries over narrow high-value surfaces on the smaller Blacksmith Linux runner. Its pull request guard is intentionally smaller than the scheduled profile: non-draft PRs only run the matching `config-boundary`, `core-auth-secrets`, `channel-runtime-boundary`, `gateway-runtime-boundary`, `memory-runtime-boundary`, `mcp-process-runtime-boundary`, `provider-runtime-boundary`, `session-diagnostics-boundary`, `plugin-boundary`, `plugin-sdk-package-contract`, and `plugin-sdk-reply-runtime` shards for config schema/migration/IO code, auth/secrets/sandbox/security code, channel runtime, gateway protocol/server-method, memory runtime/SDK glue, MCP/process/outbound delivery, provider runtime/model catalog, session diagnostics/delivery queues, plugin loader, Plugin SDK/package-contract, or Plugin SDK reply runtime changes. CodeQL config and quality workflow changes run all eleven PR quality shards. +`CodeQL Critical Quality` is the matching non-security shard. It runs only error-severity, non-security JavaScript/TypeScript quality queries over narrow high-value surfaces on the smaller Blacksmith Linux runner. Its pull request guard is intentionally smaller than the scheduled profile: non-draft PRs only run the matching `config-boundary`, `core-auth-secrets`, `channel-runtime-boundary`, `gateway-runtime-boundary`, `memory-runtime-boundary`, `mcp-process-runtime-boundary`, `provider-runtime-boundary`, `session-diagnostics-boundary`, `plugin-boundary`, `plugin-sdk-package-contract`, and `plugin-sdk-reply-runtime` shards for config schema/migration/IO code, auth/secrets/sandbox/security code, core channel and bundled channel plugin runtime, gateway protocol/server-method, memory runtime/SDK glue, MCP/process/outbound delivery, provider runtime/model catalog, session diagnostics/delivery queues, plugin loader, Plugin SDK/package-contract, or Plugin SDK reply runtime changes. CodeQL config and quality workflow changes run all eleven PR quality shards. Manual dispatch accepts: @@ -350,7 +350,7 @@ The narrow profiles are teaching/iteration hooks for running one quality shard i | `/codeql-critical-quality/core-auth-secrets` | Auth, secrets, sandbox, cron, and gateway security boundary code | | `/codeql-critical-quality/config-boundary` | Config schema, migration, normalization, and IO contracts | | `/codeql-critical-quality/gateway-runtime-boundary` | Gateway protocol schemas and server method contracts | -| `/codeql-critical-quality/channel-runtime-boundary` | Core channel implementation contracts | +| `/codeql-critical-quality/channel-runtime-boundary` | Core channel and bundled channel plugin implementation contracts | | `/codeql-critical-quality/agent-runtime-boundary` | Command execution, model/provider dispatch, auto-reply dispatch and queues, and ACP control-plane runtime contracts | | `/codeql-critical-quality/mcp-process-runtime-boundary` | MCP servers and tool bridges, process supervision helpers, and outbound delivery contracts | | `/codeql-critical-quality/memory-runtime-boundary` | Memory host SDK, memory runtime facades, memory Plugin SDK aliases, memory runtime activation glue, and memory doctor commands |