Vincent Koc
e0c75cd0bd
chore(ci): cover bundled channels in CodeQL PR guard
...
Extends the channel CodeQL quality shard to bundled channel plugin source directories and documents the scoped PR guard coverage.
2026-04-29 23:28:18 -07:00
Vincent Koc
eea964330c
chore(ci): add gateway CodeQL PR quality guard
...
Adds the gateway runtime quality shard to the PR CodeQL guard, keeps PR quality analysis path-sharded by surface, and documents the shard selector behavior.
2026-04-29 21:26:03 -07:00
Vincent Koc
6e73101df3
chore(ci): widen CodeQL PR guard
...
Runs the PR CodeQL security guard as high-confidence high/critical security coverage and adds the initial plugin/package-contract quality guard.
2026-04-29 20:06:50 -07:00
Vincent Koc
845dd2a7d5
chore(ci): add provider runtime CodeQL quality shard
...
Adds a focused non-security CodeQL quality shard for provider runtime and model catalog contracts.
2026-04-29 16:15:38 -07:00
Vincent Koc
847d8fa0e1
chore(ci): add Plugin SDK reply CodeQL quality shard
...
Adds a focused non-security CodeQL quality shard for Plugin SDK reply/session delivery runtime contracts.
2026-04-29 15:56:41 -07:00
Vincent Koc
8f50920c45
chore(ci): add session diagnostics CodeQL quality shard
...
Adds a focused non-security CodeQL quality shard for session diagnostics, delivery queues, and related diagnostic contracts.
2026-04-29 15:29:03 -07:00
Vincent Koc
6717f8b334
chore(ci): add plugin trust CodeQL shard
...
Adds the plugin trust-boundary CodeQL security shard on Blacksmith and documents the rollout scope.
2026-04-29 15:02:06 -07:00
Vincent Koc
71ab341f46
chore(ci): rename CodeQL auth security shard
...
Renames the default auth/secrets CodeQL security category from the generic javascript-typescript label to core-auth-secrets.
Proof:
- Branch CodeQL security run https://github.com/openclaw/openclaw/actions/runs/25134871512 passed on 1d9f727bfd
2026-04-29 14:32:34 -07:00
Vincent Koc
cd6efd1a42
chore(ci): add MCP process CodeQL shard
...
Adds the focused MCP/process/tool-execution CodeQL security shard and documents it in CI docs.
Proof:
- Branch CodeQL security run https://github.com/openclaw/openclaw/actions/runs/25132942030 passed on 9d8ca2bae7
2026-04-29 13:48:53 -07:00
Vincent Koc
c9156cd9a8
chore(ci): add network SSRF CodeQL shard
...
Adds a narrow critical-security CodeQL shard for the network/SSRF boundary and documents the new category.
2026-04-29 13:08:46 -07:00
Mason Huang
7108414009
ci: add codeql quality profile input ( #74348 )
...
* ci: add codeql quality profile input
* ci: gate codeql quality profiles
* ci: ignore spec files in codeql shard
2026-04-29 22:39:54 +08:00
Mason Huang
dda765c445
ci: add plugin sdk package contract codeql quality shard ( #74342 )
2026-04-29 21:33:11 +08:00
Vincent Koc
6a3310bbda
chore(ci): add memory CodeQL quality shard
...
Adds a narrow CodeQL Critical Quality shard for the memory host/runtime boundary.
2026-04-29 00:18:30 -07:00
Vincent Koc
1d87d757e9
ci: add mcp process codeql quality shard
2026-04-28 23:36:34 -07:00
Vincent Koc
6186ed2c07
ci: rename codeql quality baseline shard
2026-04-28 22:52:55 -07:00
Vincent Koc
2f04731a48
ci: shard web media codeql quality
2026-04-28 22:18:21 -07:00
Vincent Koc
e53c45ba94
ci: shard control ui codeql quality
...
Adds a narrow CodeQL Critical Quality shard for the Control UI/control-plane surface and fixes the custom-theme font-family ReDoS finding discovered by the new shard.
2026-04-28 20:24:19 -07:00
Vincent Koc
9c9dcd4d5d
ci: shard agent runtime codeql quality
...
Add the agent runtime boundary to the CodeQL Critical Quality workflow.
2026-04-28 16:18:33 -07:00
Vincent Koc
3ae69498e2
ci: shard channel codeql security
...
Add a narrow channel-runtime CodeQL critical-security shard and document it.
2026-04-28 12:46:44 -07:00
Vincent Koc
bb0461b682
ci: shard channel codeql quality
...
Add a narrow channel-runtime CodeQL critical-quality shard and document it.
2026-04-28 11:52:54 -07:00
Vincent Koc
e476523082
ci: shard gateway codeql quality
...
Add a narrow gateway/runtime CodeQL critical-quality shard and document it.
2026-04-28 11:16:48 -07:00
Vincent Koc
e10f493160
ci: shard config codeql quality
...
Split config quality CodeQL results into a separate category while keeping the default quality bucket narrow.
2026-04-28 04:00:14 -07:00
Vincent Koc
5820a48fca
ci: add plugin boundary codeql quality shard ( #73447 )
2026-04-28 02:30:33 -07:00
Vincent Koc
1278f0bcc0
fix(codeql): tune Android pinning profile
...
Remove noisy missing-certificate-pinning query from the critical Android CodeQL profile; gateway TLS uses custom certificate fingerprint pinning.
2026-04-27 23:04:16 -07:00
Vincent Koc
2bce63cb65
fix(android): harden canvas webview bridge ( #73240 )
...
* fix(android): harden canvas webview bridge
* fix(android): make canvas content access hardening explicit
* fix(android): keep webview hardening inline for CodeQL
* fix(android): avoid webview getter false positive
2026-04-27 21:41:01 -07:00
Vincent Koc
36b5e34fc0
fix(ci): add macOS CodeQL security shard
...
Add a manual macOS CodeQL security shard scoped to app sources. Verified with profile=macos-security on Blacksmith in 16m55s.
2026-04-27 13:40:34 -07:00
Vincent Koc
74eccd42d8
fix(ci): add android CodeQL security shard
...
Add a manual Android CodeQL security shard scoped to app production sources. Verified with profile=android-security on Blacksmith in 4m22s.
2026-04-27 12:32:55 -07:00
Vincent Koc
e864fd39cc
fix(ci): narrow CodeQL critical scan ( #72982 )
2026-04-27 11:42:42 -07:00
Mason Huang
5d4931cc3f
CI: trim CodeQL JavaScript scope ( #71347 )
2026-04-25 09:57:12 +08:00
Vincent Koc
b6520d7172
CI: scope CodeQL JavaScript analysis
2026-03-08 10:29:56 -07:00
