Vincent Koc
6e73101df3
chore(ci): widen CodeQL PR guard
...
Runs the PR CodeQL security guard as high-confidence high/critical security coverage and adds the initial plugin/package-contract quality guard.
2026-04-29 20:06:50 -07:00
Vincent Koc
8aed80d2fa
chore(ci): add CodeQL PR security guard
...
Runs the narrow CodeQL critical-security matrix on non-draft pull requests for code and workflow security-boundary changes.
2026-04-29 19:19:45 -07:00
Vincent Koc
6717f8b334
chore(ci): add plugin trust CodeQL shard
...
Adds the plugin trust-boundary CodeQL security shard on Blacksmith and documents the rollout scope.
2026-04-29 15:02:06 -07:00
Vincent Koc
71ab341f46
chore(ci): rename CodeQL auth security shard
...
Renames the default auth/secrets CodeQL security category from the generic javascript-typescript label to core-auth-secrets.
Proof:
- Branch CodeQL security run https://github.com/openclaw/openclaw/actions/runs/25134871512 passed on 1d9f727bfd
2026-04-29 14:32:34 -07:00
Vincent Koc
cd6efd1a42
chore(ci): add MCP process CodeQL shard
...
Adds the focused MCP/process/tool-execution CodeQL security shard and documents it in CI docs.
Proof:
- Branch CodeQL security run https://github.com/openclaw/openclaw/actions/runs/25132942030 passed on 9d8ca2bae7
2026-04-29 13:48:53 -07:00
Vincent Koc
c9156cd9a8
chore(ci): add network SSRF CodeQL shard
...
Adds a narrow critical-security CodeQL shard for the network/SSRF boundary and documents the new category.
2026-04-29 13:08:46 -07:00
Vincent Koc
3ae69498e2
ci: shard channel codeql security
...
Add a narrow channel-runtime CodeQL critical-security shard and document it.
2026-04-28 12:46:44 -07:00
Vincent Koc
77192572f6
ci: split macos codeql shard
...
Split the slow macOS CodeQL job into its own weekly/manual workflow and keep the daily CodeQL default on the fast JS/Actions security path.
2026-04-28 03:14:07 -07:00
Vincent Koc
b6a21cde34
ci: schedule android codeql shard ( #73430 )
2026-04-28 01:54:57 -07:00
Vincent Koc
dbab162abd
ci: split codeql quality workflow ( #73404 )
2026-04-28 01:04:59 -07:00
Vincent Koc
cc80a40d86
fix(ci): preserve mixed macOS CodeQL SARIF findings
...
Conservatively filter macOS CodeQL SARIF by dropping only findings where every location is SwiftPM build output. Verified with workflow sanity, local jq filtering, PR CI, and a failed-job rerun for an unrelated stalled Vitest shard.
2026-04-27 15:43:53 -07:00
Vincent Koc
6e77c10c6c
fix(ci): harden macOS CodeQL SARIF filtering
...
Harden the macOS CodeQL SARIF filter to drop only findings whose primary location is SwiftPM build output. Verified with workflow sanity, local jq filtering, full PR CI, and profile=macos-security branch proof in 18m44s.
2026-04-27 15:25:38 -07:00
Vincent Koc
2c2a240344
fix(ci): filter macOS CodeQL dependency SARIF
...
Filter SwiftPM dependency build results from the manual macOS CodeQL shard before upload. Verified with workflow sanity, local jq filtering, and profile=macos-security branch proof in 15m54s. PR CI has the same unrelated extensions/memory-core timeout failure currently present on main.
2026-04-27 14:37:29 -07:00
Vincent Koc
36b5e34fc0
fix(ci): add macOS CodeQL security shard
...
Add a manual macOS CodeQL security shard scoped to app sources. Verified with profile=macos-security on Blacksmith in 16m55s.
2026-04-27 13:40:34 -07:00
Vincent Koc
74eccd42d8
fix(ci): add android CodeQL security shard
...
Add a manual Android CodeQL security shard scoped to app production sources. Verified with profile=android-security on Blacksmith in 4m22s.
2026-04-27 12:32:55 -07:00
dependabot[bot]
48f433479d
chore(deps): bump github/codeql-action
...
Bump github/codeql-action from b25d0ebf40e5b63ee81e1bd6e5d2a12b7c2aeb61 to 95e58e9a2cdfd71adc6e0353d5c52f41a045d225.
2026-04-27 12:01:27 -07:00
Vincent Koc
282af9c50a
fix(ci): run CodeQL on small Blacksmith runners ( #72988 )
2026-04-27 11:56:48 -07:00
Vincent Koc
e864fd39cc
fix(ci): narrow CodeQL critical scan ( #72982 )
2026-04-27 11:42:42 -07:00
Mason Huang
b79272baad
CI: increase CodeQL JavaScript runner size ( #71402 )
...
* CI: increase CodeQL JavaScript runner size
* CI: trim CodeQL JavaScript scope further
* ci: keep CodeQL extension coverage
---------
Co-authored-by: Peter Steinberger <steipete@gmail.com >
2026-04-25 13:04:48 +08:00
Peter Steinberger
b2b43085bc
ci: use larger Blacksmith macOS runners
2026-04-21 19:03:50 +01:00
Peter Steinberger
24644e3c27
ci: remove sticky disk cache plumbing
2026-04-20 16:03:55 +01:00
Mason Huang
69d25f5f16
CI: add daily schedule to CodeQL workflow ( #67645 )
...
* CI: add weekly schedule to CodeQL workflow
* CI: add daily schedule to CodeQL workflow and pin third-party actions
2026-04-16 21:27:45 +08:00
Ayaan Zaidi
0c2e6fe97f
ci(android): use explicit flavor debug tasks
2026-03-20 12:55:52 +05:30
Peter Steinberger
6a812b621d
ci: modernize GitHub Actions workflow versions
2026-03-13 16:57:23 +00:00
Peter Steinberger
41718404a1
ci: opt workflows into Node 24 action runtime
2026-03-13 16:41:22 +00:00
Val Alexander
5296147c20
CI: select Swift 6.2 toolchain for CodeQL ( #41787 )
...
Merged via squash.
Prepared head SHA: 8abc6c165768980965+BunsDev@users.noreply.github.com >
Co-authored-by: BunsDev <68980965+BunsDev@users.noreply.github.com >
Reviewed-by: @BunsDev
2026-03-10 01:22:41 -05:00
Vincent Koc
b6520d7172
CI: scope CodeQL JavaScript analysis
2026-03-08 10:29:56 -07:00
Vincent Koc
c6ff137a6f
CI: make CodeQL manual only
2026-03-07 18:23:21 -08:00
Vincent Koc
1e3daa6373
CI: fix CodeQL concurrency
2026-03-07 18:20:32 -08:00
Vincent Koc
31564bed1d
CI: fix CodeQL manual builds
2026-03-07 18:18:53 -08:00
Vincent Koc
b2f8f5e4dd
CI: add CodeQL workflow
2026-03-07 18:15:06 -08:00
