fix(ci): narrow CodeQL critical scan (#72982)

2026-05-06 10:30:44 +00:00 · 2026-04-27 11:42:42 -07:00
parent 1497425b8d
commit e864fd39cc
6 changed files with 175 additions and 120 deletions
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -2,12 +2,22 @@ name: CodeQL

 on:
  workflow_dispatch:
+    inputs:
+      profile:
+        description: CodeQL profile to run
+        required: false
+        default: all
+        type: choice
+        options:
+          - all
+          - security
+          - quality
  schedule:
    - cron: "0 6 * * *"

 concurrency:
-  group: codeql-${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }}
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+  group: codeql-${{ github.workflow }}-${{ github.event_name == 'workflow_dispatch' && github.run_id || github.sha }}
+  cancel-in-progress: false

 env:
  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: "true"
@@ -18,121 +28,58 @@ permissions:
  security-events: write

 jobs:
-  analyze:
-    name: Analyze (${{ matrix.language }})
+  critical-security:
+    name: Critical Security (${{ matrix.language }})
+    if: ${{ github.event_name != 'workflow_dispatch' || inputs.profile == 'all' || inputs.profile == 'security' }}
    runs-on: ${{ matrix.runs_on }}
+    timeout-minutes: ${{ matrix.timeout_minutes }}
    strategy:
      fail-fast: false
      matrix:
        include:
          - language: javascript-typescript
-            runs_on: blacksmith-32vcpu-ubuntu-2404
-            needs_node: true
-            needs_python: false
-            needs_java: false
-            needs_swift_tools: false
-            needs_manual_build: false
-            needs_autobuild: false
-            config_file: ./.github/codeql/codeql-javascript-typescript.yml
+            runs_on: ubuntu-24.04
+            timeout_minutes: 25
+            config_file: ./.github/codeql/codeql-javascript-typescript-critical-security.yml
          - language: actions
-            runs_on: blacksmith-16vcpu-ubuntu-2404
-            needs_node: false
-            needs_python: false
-            needs_java: false
-            needs_swift_tools: false
-            needs_manual_build: false
-            needs_autobuild: false
-            config_file: ""
-          - language: python
-            runs_on: blacksmith-16vcpu-ubuntu-2404
-            needs_node: false
-            needs_python: true
-            needs_java: false
-            needs_swift_tools: false
-            needs_manual_build: false
-            needs_autobuild: false
-            config_file: ""
-          - language: java-kotlin
-            runs_on: blacksmith-16vcpu-ubuntu-2404
-            needs_node: false
-            needs_python: false
-            needs_java: true
-            needs_swift_tools: false
-            needs_manual_build: true
-            needs_autobuild: false
-            config_file: ""
-          - language: swift
-            runs_on: ${{ github.repository == 'openclaw/openclaw' && 'blacksmith-12vcpu-macos-latest' || 'macos-latest' }}
-            needs_node: false
-            needs_python: false
-            needs_java: false
-            needs_swift_tools: true
-            needs_manual_build: true
-            needs_autobuild: false
-            config_file: ""
+            runs_on: ubuntu-24.04
+            timeout_minutes: 10
+            config_file: ./.github/codeql/codeql-actions-critical-security.yml
    steps:
      - name: Checkout
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
        with:
          submodules: false

-      - name: Setup Node environment
-        if: matrix.needs_node
-        uses: ./.github/actions/setup-node-env
-        with:
-          install-bun: "false"
-
-      - name: Setup Python
-        if: matrix.needs_python
-        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
-        with:
-          python-version: "3.12"
-
-      - name: Setup Java
-        if: matrix.needs_java
-        uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5
-        with:
-          distribution: temurin
-          java-version: "21"
-
-      - name: Setup Swift build tools
-        if: matrix.needs_swift_tools
-        run: |
-          sudo xcode-select -s /Applications/Xcode_26.1.app
-          xcodebuild -version
-          brew install xcodegen swiftlint swiftformat
-          swift --version
-
      - name: Initialize CodeQL
        uses: github/codeql-action/init@b25d0ebf40e5b63ee81e1bd6e5d2a12b7c2aeb61 # v4
        with:
          languages: ${{ matrix.language }}
-          queries: security-and-quality
-          config-file: ${{ matrix.config_file || '' }}
-
-      - name: Autobuild
-        if: matrix.needs_autobuild
-        uses: github/codeql-action/autobuild@b25d0ebf40e5b63ee81e1bd6e5d2a12b7c2aeb61 # v4
-
-      - name: Build Android for CodeQL
-        if: matrix.language == 'java-kotlin'
-        working-directory: apps/android
-        run: ./gradlew --no-daemon :app:assemblePlayDebug
-
-      - name: Build Swift for CodeQL
-        if: matrix.language == 'swift'
-        run: |
-          set -euo pipefail
-          swift build --package-path apps/macos --configuration release
-          cd apps/ios
-          xcodegen generate
-          xcodebuild build \
-            -project OpenClaw.xcodeproj \
-            -scheme OpenClaw \
-            -destination "generic/platform=iOS Simulator" \
-            CODE_SIGNING_ALLOWED=NO
+          config-file: ${{ matrix.config_file }}

      - name: Analyze
        uses: github/codeql-action/analyze@b25d0ebf40e5b63ee81e1bd6e5d2a12b7c2aeb61 # v4
        with:
-          category: "/language:${{ matrix.language }}"
+          category: "/codeql-critical-security/${{ matrix.language }}"
+
+  critical-quality:
+    name: Critical Quality (javascript-typescript)
+    if: ${{ github.event_name != 'workflow_dispatch' || inputs.profile == 'all' || inputs.profile == 'quality' }}
+    runs-on: ubuntu-24.04
+    timeout-minutes: 25
+    steps:
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          submodules: false
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@b25d0ebf40e5b63ee81e1bd6e5d2a12b7c2aeb61 # v4
+        with:
+          languages: javascript-typescript
+          config-file: ./.github/codeql/codeql-javascript-typescript-critical-quality.yml
+
+      - name: Analyze
+        uses: github/codeql-action/analyze@b25d0ebf40e5b63ee81e1bd6e5d2a12b7c2aeb61 # v4
+        with:
+          category: "/codeql-critical-quality/javascript-typescript"