

























@@ -230,18 +230,22 @@ or overlapping changed hunks.
230230The `CodeQL` workflow is intentionally a narrow first-pass security scanner,
231231not the full repository sweep. Daily and manual runs scan Actions workflow code
232232plus the highest-risk JavaScript/TypeScript auth, secrets, sandbox, cron, and
233-gateway surfaces with high-precision security queries. Android and macOS remain
234-manual security shards so their runtime and alert quality can be tracked
235-separately.
233+gateway surfaces with high-precision security queries. macOS remains a manual
234+security shard so its runtime and alert quality can be tracked separately.
235+236+The `CodeQL Android Critical Security` workflow is the scheduled Android
237+security shard. It builds the Android app manually for CodeQL on the smallest
238+Blacksmith Linux runner label accepted by workflow sanity and uploads results
239+under the `/codeql-critical-security/android` category.
236240237241The `CodeQL Critical Quality` workflow is the matching non-security shard. It
238242runs only error-severity, non-security JavaScript/TypeScript quality queries
239243over the same narrow auth, secrets, sandbox, cron, and gateway surface. Keep it
240244separate from the security workflow so quality findings can be scheduled,
241245measured, disabled, or expanded without obscuring security signal. Swift,
242-Android, Python, UI, and bundled-plugin CodeQL expansion should be added back as
243-scoped or sharded follow-up work only after the narrow profiles have stable
244-runtime and signal.
246+Python, UI, and bundled-plugin CodeQL expansion should be added back as scoped
247+or sharded follow-up work only after the narrow profiles have stable runtime and
248+signal.
245249246250The `Docs Agent` workflow is an event-driven Codex maintenance lane for keeping
247251existing docs aligned with recently landed changes. It has no pure schedule: a
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。