vrr/openclaw
2
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-05-19 16:11:08 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 20

chore(ci): add provider runtime CodeQL quality shard
Some checks failed
CI / preflight (push) Waiting to run
Details
CI / security-scm-fast (push) Waiting to run
Details
CI / check-preflight-guards (push) Blocked by required conditions
Details
CI / check-prod-types (push) Blocked by required conditions
Details
CI / check-strict-smoke (push) Blocked by required conditions
Details
CI / check-test-types (push) Blocked by required conditions
Details
CI / security-dependency-audit (push) Waiting to run
Details
CI / security-fast (push) Blocked by required conditions
Details
CI / build-artifacts (push) Blocked by required conditions
Details
CI / (push) Blocked by required conditions
Details
CI / -1 (push) Blocked by required conditions
Details
CI / checks-fast-contracts-plugins (push) Blocked by required conditions
Details
CI / -2 (push) Blocked by required conditions
Details
CI / checks-node-core (push) Blocked by required conditions
Details
CI / check-dependencies (push) Blocked by required conditions
Details
CI / checks-fast-contracts-channels (push) Blocked by required conditions
Details
CI / checks-fast-protocol (push) Blocked by required conditions
Details
CI / -3 (push) Blocked by required conditions
Details
CI / checks-node-compat-node22 (push) Blocked by required conditions
Details
CI / -4 (push) Blocked by required conditions
Details
CI / -5 (push) Blocked by required conditions
Details
CI / check-lint (push) Blocked by required conditions
Details
CI / check-policy-guards (push) Blocked by required conditions
Details
CI / check (push) Blocked by required conditions
Details
CI / check-additional-boundaries (push) Blocked by required conditions
Details
CI / check-additional-extension-bundled (push) Blocked by required conditions
Details
CI / check-additional-extension-channels (push) Blocked by required conditions
Details
CI / check-additional-extension-package-boundary (push) Blocked by required conditions
Details
CI / check-additional-runtime-topology-architecture (push) Blocked by required conditions
Details
CI / check-additional (push) Blocked by required conditions
Details
CI / build-smoke (push) Blocked by required conditions
Details
CI / check-docs (push) Blocked by required conditions
Details
CI / skills-python (push) Blocked by required conditions
Details
CI / -7 (push) Blocked by required conditions
Details
CI / -6 (push) Blocked by required conditions
Details
CI / macos-swift (push) Blocked by required conditions
Details
CI / -8 (push) Blocked by required conditions
Details
ClawSweeper Dispatch / dispatch (push) Waiting to run
Details
Docs Sync Publish Repo / sync-publish-repo (push) Waiting to run
Details
Docs / docs (push) Waiting to run
Details
Plugin NPM Release / preview_plugins_npm (push) Waiting to run
Details
Plugin NPM Release / preview_plugin_pack (push) Blocked by required conditions
Details
Plugin NPM Release / publish_plugins_npm (push) Blocked by required conditions
Details
Workflow Sanity / no-tabs (push) Waiting to run
Details
Workflow Sanity / actionlint (push) Waiting to run
Details
Workflow Sanity / generated-doc-baselines (push) Waiting to run
Details
Control UI Locale Refresh / plan (push) Has been cancelled
Details
Control UI Locale Refresh / Refresh (push) Has been cancelled
Details

Browse source 
Adds a focused non-security CodeQL quality shard for provider runtime and model catalog contracts.
This commit is contained in:
Vincent Koc 2026-04-29 16:15:38 -07:00 committed by GitHub
parent 6662dcf209
commit 845dd2a7d5
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
3 changed files with 72 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

44
.github/codeql/codeql-provider-runtime-boundary-critical-quality.yml vendored Normal file
View file

@ -0,0 +1,44 @@
name: openclaw-codeql-provider-runtime-boundary-critical-quality
disable-default-queries: true
queries:
- uses: security-and-quality
query-filters:
- include:
problem.severity:
- error
- exclude:
tags:
- security
paths:
- src/model-catalog
- src/plugins/provider-*.ts
- src/plugins/providers*.ts
- src/plugins/*provider*.ts
- src/plugins/capability-provider-runtime.ts
- src/plugins/compaction-provider.ts
- src/plugins/memory-embedding-provider*.ts
- src/plugins/memory-embedding-providers*.ts
- src/plugins/migration-provider-runtime.ts
- src/plugins/synthetic-auth.runtime.ts
- src/plugins/web-fetch-providers*.ts
- src/plugins/web-search-providers*.ts
paths-ignore:
- "**/node_modules"
- "**/coverage"
- "**/*.generated.ts"
- "**/*.bundle.js"
- "**/*-runtime.js"
- "**/*.test.ts"
- "**/*.test.tsx"
- "**/*.e2e.test.ts"
- "**/*.e2e.test.tsx"
- "**/*test-support*"
- "**/*test-helper*"
- "**/*mock*"
- "**/*fixture*"
- "**/*bench*"

23
.github/workflows/codeql-critical-quality.yml vendored
View file

@ -12,6 +12,7 @@ on:
- all
- plugin-sdk-package-contract
- plugin-sdk-reply-runtime
- provider-runtime-boundary
- session-diagnostics-boundary
schedule:
- cron: "30 6 * * *"
@ -227,6 +228,28 @@ jobs:
with:
category: "/codeql-critical-quality/plugin-sdk-reply-runtime"
provider-runtime-boundary:
name: Critical Quality (provider-runtime-boundary)
if: ${{ github.event_name != 'workflow_dispatch' || inputs.profile == 'all' || inputs.profile == 'provider-runtime-boundary' }}
runs-on: blacksmith-4vcpu-ubuntu-2404
timeout-minutes: 25
steps:
- name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
with:
submodules: false
- name: Initialize CodeQL
uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
with:
languages: javascript-typescript
config-file: ./.github/codeql/codeql-provider-runtime-boundary-critical-quality.yml
- name: Analyze
uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
with:
category: "/codeql-critical-quality/provider-runtime-boundary"
ui-control-plane:
name: Critical Quality (ui-control-plane)
if: ${{ github.event_name != 'workflow_dispatch' || inputs.profile == 'all' }}

6
docs/ci.md
View file

@ -294,7 +294,7 @@ The `CodeQL Critical Quality` workflow is the matching non-security shard. It
runs only error-severity, non-security JavaScript/TypeScript quality queries
over narrow high-value surfaces on the smaller Blacksmith Linux runner. Its
manual dispatch accepts
`profile=all|plugin-sdk-package-contract|plugin-sdk-reply-runtime|session-diagnostics-boundary`;
`profile=all|plugin-sdk-package-contract|plugin-sdk-reply-runtime|provider-runtime-boundary|session-diagnostics-boundary`;
the narrow profiles are teaching/iteration hooks for running one quality shard
in isolation without dispatching the rest of the workflow.
Its
@ -325,6 +325,10 @@ plugin-sdk-reply-runtime job scans Plugin SDK inbound reply dispatch, reply
payload/chunking/runtime helpers, channel reply options, delivery queues, and
session/thread binding helpers under the separate
`/codeql-critical-quality/plugin-sdk-reply-runtime` category. The
provider-runtime-boundary job scans model catalog normalization, provider auth
and discovery, provider runtime registration, provider defaults/catalogs, and
web/search/fetch/embedding provider registries under the separate
`/codeql-critical-quality/provider-runtime-boundary` category. The
ui-control-plane job scans Control UI bootstrap, local persistence, gateway
control flows, and task control-plane runtime contracts under the separate
`/codeql-critical-quality/ui-control-plane` category. The