name: CodeQL on: workflow_dispatch: inputs: profile: description: CodeQL profile to run required: false default: all type: choice options: - all - security - quality - android-security - macos-security schedule: - cron: "0 6 * * *" concurrency: group: codeql-${{ github.workflow }}-${{ github.event_name == 'workflow_dispatch' && github.run_id || github.sha }} cancel-in-progress: false env: FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: "true" permissions: actions: read contents: read security-events: write jobs: critical-security: name: Critical Security (${{ matrix.language }}) if: ${{ github.event_name != 'workflow_dispatch' || inputs.profile == 'all' || inputs.profile == 'security' }} runs-on: ${{ matrix.runs_on }} timeout-minutes: ${{ matrix.timeout_minutes }} strategy: fail-fast: false matrix: include: - language: javascript-typescript runs_on: blacksmith-8vcpu-ubuntu-2404 timeout_minutes: 25 config_file: ./.github/codeql/codeql-javascript-typescript-critical-security.yml - language: actions runs_on: blacksmith-8vcpu-ubuntu-2404 timeout_minutes: 10 config_file: ./.github/codeql/codeql-actions-critical-security.yml steps: - name: Checkout uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: submodules: false - name: Initialize CodeQL uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4 with: languages: ${{ matrix.language }} config-file: ${{ matrix.config_file }} - name: Analyze uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4 with: category: "/codeql-critical-security/${{ matrix.language }}" critical-quality: name: Critical Quality (javascript-typescript) if: ${{ github.event_name != 'workflow_dispatch' || inputs.profile == 'all' || inputs.profile == 'quality' }} runs-on: blacksmith-8vcpu-ubuntu-2404 timeout-minutes: 25 steps: - name: Checkout uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: submodules: false - name: Initialize CodeQL uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4 with: languages: javascript-typescript config-file: ./.github/codeql/codeql-javascript-typescript-critical-quality.yml - name: Analyze uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4 with: category: "/codeql-critical-quality/javascript-typescript" android-security: name: Critical Security (android) if: ${{ github.event_name == 'workflow_dispatch' && inputs.profile == 'android-security' }} runs-on: blacksmith-8vcpu-ubuntu-2404 timeout-minutes: 45 steps: - name: Checkout uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: submodules: false - name: Setup Java uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5 with: distribution: temurin java-version: "21" - name: Initialize CodeQL uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4 with: languages: java-kotlin build-mode: manual config-file: ./.github/codeql/codeql-android-critical-security.yml - name: Build Android for CodeQL working-directory: apps/android run: ./gradlew --no-daemon :app:assemblePlayDebug - name: Analyze uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4 with: category: "/codeql-critical-security/android" macos-security: name: Critical Security (macOS) if: ${{ github.event_name == 'workflow_dispatch' && inputs.profile == 'macos-security' }} runs-on: blacksmith-6vcpu-macos-latest timeout-minutes: 45 steps: - name: Checkout uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: submodules: false - name: Select Xcode run: | sudo xcode-select -s /Applications/Xcode_26.1.app xcodebuild -version swift --version - name: Initialize CodeQL uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4 with: languages: swift build-mode: manual config-file: ./.github/codeql/codeql-macos-critical-security.yml - name: Build macOS for CodeQL run: swift build --package-path apps/macos --product OpenClaw - name: Analyze id: analyze uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4 with: output: sarif-results upload: failure-only category: "/codeql-critical-security/macos" - name: Remove dependency build results env: SARIF_OUTPUT: sarif-results run: | set -euo pipefail shopt -s nullglob if [ ! -d "$SARIF_OUTPUT" ]; then echo "SARIF output directory not found: $SARIF_OUTPUT" >&2 exit 1 fi mkdir -p sarif-results-filtered files=("$SARIF_OUTPUT"/*.sarif) if [ "${#files[@]}" -eq 0 ]; then echo "No SARIF files found in $SARIF_OUTPUT" >&2 exit 1 fi for file in "${files[@]}"; do jq ' def in_dependency_build: ((.locations // []) | length > 0) and all(.locations[]; (.physicalLocation.artifactLocation.uri? // "") | test("^apps/macos/\\.build/")); .runs |= map(.results = ((.results // []) | map(select(in_dependency_build | not)))) ' "$file" > "sarif-results-filtered/$(basename "$file")" done - name: Upload filtered SARIF uses: github/codeql-action/upload-sarif@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4 with: sarif_file: sarif-results-filtered category: "/codeql-critical-security/macos"