fix(ci): add macOS CodeQL security shard · openclaw/openclaw@36b5e34
vincentkoc
·
2026-04-28
·
via Recent Commits to openclaw:main
| Original file line number | Diff line number | Diff line change |
|---|
|
| 1 | +name: openclaw-codeql-macos-critical-security |
| 2 | + |
| 3 | +disable-default-queries: true |
| 4 | + |
| 5 | +queries: |
| 6 | + - uses: security-extended |
| 7 | + |
| 8 | +paths: |
| 9 | + - apps/macos/Sources |
| 10 | + |
| 11 | +paths-ignore: |
| 12 | + - "**/.build" |
| 13 | + - "**/.build/**" |
| 14 | + - "**/DerivedData" |
| 15 | + - "**/DerivedData/**" |
| 16 | + - "**/*.generated.swift" |
| 17 | + - "**/*Tests.swift" |
| Original file line number | Diff line number | Diff line change |
|---|
@@ -13,6 +13,7 @@ on:
|
13 | 13 | - security |
14 | 14 | - quality |
15 | 15 | - android-security |
| 16 | + - macos-security |
16 | 17 | schedule: |
17 | 18 | - cron: "0 6 * * *" |
18 | 19 | |
@@ -117,3 +118,35 @@ jobs:
|
117 | 118 | uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4 |
118 | 119 | with: |
119 | 120 | category: "/codeql-critical-security/android" |
| 121 | + |
| 122 | +macos-security: |
| 123 | +name: Critical Security (macOS) |
| 124 | +if: ${{ github.event_name == 'workflow_dispatch' && inputs.profile == 'macos-security' }} |
| 125 | +runs-on: blacksmith-6vcpu-macos-latest |
| 126 | +timeout-minutes: 45 |
| 127 | +steps: |
| 128 | + - name: Checkout |
| 129 | +uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 |
| 130 | +with: |
| 131 | +submodules: false |
| 132 | + |
| 133 | + - name: Select Xcode |
| 134 | +run: | |
| 135 | + sudo xcode-select -s /Applications/Xcode_26.1.app |
| 136 | + xcodebuild -version |
| 137 | + swift --version |
| 138 | + |
| 139 | + - name: Initialize CodeQL |
| 140 | +uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4 |
| 141 | +with: |
| 142 | +languages: swift |
| 143 | +build-mode: manual |
| 144 | +config-file: ./.github/codeql/codeql-macos-critical-security.yml |
| 145 | + |
| 146 | + - name: Build macOS for CodeQL |
| 147 | +run: swift build --package-path apps/macos --product OpenClaw |
| 148 | + |
| 149 | + - name: Analyze |
| 150 | +uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4 |
| 151 | +with: |
| 152 | +category: "/codeql-critical-security/macos" |
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。