ci: shard channel codeql security · openclaw/openclaw@3ae6949
vincentkoc
·
2026-04-29
·
via Recent Commits to openclaw:main
| Original file line number | Diff line number | Diff line change |
|---|
@@ -230,7 +230,12 @@ or overlapping changed hunks.
|
230 | 230 | The `CodeQL` workflow is intentionally a narrow first-pass security scanner, |
231 | 231 | not the full repository sweep. Daily and manual runs scan Actions workflow code |
232 | 232 | plus the highest-risk JavaScript/TypeScript auth, secrets, sandbox, cron, and |
233 | | -gateway surfaces with high-precision security queries. |
| 233 | +gateway surfaces with high-precision security queries. The |
| 234 | +channel-runtime-boundary job separately scans core channel implementation |
| 235 | +contracts plus the channel plugin runtime, gateway, Plugin SDK, secrets, and |
| 236 | +audit touchpoints under the `/codeql-critical-security/channel-runtime-boundary` |
| 237 | +category so channel security signal can scale without broadening the baseline |
| 238 | +JS/TS category. |
234 | 239 | |
235 | 240 | The `CodeQL Android Critical Security` workflow is the scheduled Android |
236 | 241 | security shard. It builds the Android app manually for CodeQL on the smallest |
|
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。