ci: shard control ui codeql quality

Adds a narrow CodeQL Critical Quality shard for the Control UI/control-plane surface and fixes the custom-theme font-family ReDoS finding discovered by the new shard.
2026-05-06 12:00:44 +00:00 · 2026-04-28 20:24:19 -07:00
parent c20a3f548f
commit e53c45ba94
5 changed files with 95 additions and 3 deletions
--- a/.github/workflows/codeql-critical-quality.yml
+++ b/.github/workflows/codeql-critical-quality.yml
@@ -123,6 +123,27 @@ jobs:
        with:
          category: "/codeql-critical-quality/agent-runtime-boundary"

+  ui-control-plane:
+    name: Critical Quality (ui-control-plane)
+    runs-on: blacksmith-4vcpu-ubuntu-2404
+    timeout-minutes: 25
+    steps:
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          submodules: false
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
+        with:
+          languages: javascript-typescript
+          config-file: ./.github/codeql/codeql-ui-control-plane-critical-quality.yml
+
+      - name: Analyze
+        uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
+        with:
+          category: "/codeql-critical-quality/ui-control-plane"
+
  plugin-boundary:
    name: Critical Quality (plugin-boundary)
    runs-on: blacksmith-4vcpu-ubuntu-2404