LLM/moltbot
1
0
Fork 0
mirror of https://github.com/moltbot/moltbot.git synced 2026-05-13 15:47:28 +00:00
Code Issues Packages Projects Releases Wiki Activity

chore(ci): widen CodeQL PR guard

Browse Source 
Runs the PR CodeQL security guard as high-confidence high/critical security coverage and adds the initial plugin/package-contract quality guard.
This commit is contained in:
Vincent Koc
2026-04-29 20:06:50 -07:00
committed by GitHub
parent 8672737f81
commit 6e73101df3
9 changed files with 69 additions and 52 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
.github/codeql/codeql-actions-critical-security.yml vendored
View File

@@ -1,5 +1,18 @@
name: openclaw-codeql-actions-critical-security name: openclaw-codeql-actions-critical-security
disable-default-queries: true
queries:
- uses: security-extended
query-filters:
- include:
precision:
- high
- very-high
tags contain: security
security-severity: /([7-9]|10)\.(\d)+/
paths: paths:
- .github/actions - .github/actions
- .github/workflows - .github/workflows

6
.github/codeql/codeql-channel-runtime-boundary-critical-security.yml vendored
View File

@@ -10,10 +10,8 @@ query-filters:
precision: precision:
- high - high
- very-high - very-high
- exclude: tags contain: security
problem.severity: security-severity: /([7-9]|10)\.(\d)+/
- recommendation
- warning
paths: paths:
- src/channels - src/channels

6
.github/codeql/codeql-core-auth-secrets-critical-security.yml vendored
View File

@@ -10,10 +10,8 @@ query-filters:
precision: precision:
- high - high
- very-high - very-high
- exclude: tags contain: security
problem.severity: security-severity: /([7-9]|10)\.(\d)+/
- recommendation
- warning
paths: paths:
- src/agents/*auth*.ts - src/agents/*auth*.ts

6
.github/codeql/codeql-mcp-process-tool-boundary-critical-security.yml vendored
View File

@@ -10,10 +10,8 @@ query-filters:
precision: precision:
- high - high
- very-high - very-high
- exclude: tags contain: security
problem.severity: security-severity: /([7-9]|10)\.(\d)+/
- recommendation
- warning
paths: paths:
- src/mcp - src/mcp

6
.github/codeql/codeql-network-ssrf-boundary-critical-security.yml vendored
View File

@@ -10,10 +10,8 @@ query-filters:
precision: precision:
- high - high
- very-high - very-high
- exclude: tags contain: security
problem.severity: security-severity: /([7-9]|10)\.(\d)+/
- recommendation
- warning
paths: paths:
- src/infra/net - src/infra/net

6
.github/codeql/codeql-plugin-trust-boundary-critical-security.yml vendored
View File

@@ -10,10 +10,8 @@ query-filters:
precision: precision:
- high - high
- very-high - very-high
- exclude: tags contain: security
problem.severity: security-severity: /([7-9]|10)\.(\d)+/
- recommendation
- warning
paths: paths:
- src/cli/plugin-install-config-policy.ts - src/cli/plugin-install-config-policy.ts

42
.github/workflows/codeql-critical-quality.yml vendored
View File

@@ -10,16 +10,26 @@ on:
type: choice type: choice
options: options:
- all - all
- plugin-boundary
- plugin-sdk-package-contract - plugin-sdk-package-contract
- plugin-sdk-reply-runtime - plugin-sdk-reply-runtime
- provider-runtime-boundary - provider-runtime-boundary
- session-diagnostics-boundary - session-diagnostics-boundary
pull_request:
types: [opened, synchronize, reopened, ready_for_review]
paths:
- ".github/codeql/**"
- ".github/workflows/codeql-critical-quality.yml"
- "packages/plugin-package-contract/**"
- "packages/plugin-sdk/**"
- "src/plugin-sdk/**"
- "src/plugins/**"
schedule: schedule:
- cron: "30 6 * * *" - cron: "30 6 * * *"
concurrency: concurrency:
group: codeql-critical-quality-${{ github.workflow }}-${{ github.event_name == 'workflow_dispatch' && github.run_id || github.sha }} group: codeql-critical-quality-${{ github.workflow }}-${{ github.event_name == 'workflow_dispatch' && github.run_id || github.event_name == 'pull_request' && github.event.pull_request.number || github.sha }}
cancel-in-progress: false cancel-in-progress: ${{ github.event_name == 'pull_request' }}
env: env:
FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: "true" FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: "true"
@@ -32,7 +42,7 @@ permissions:
jobs: jobs:
core-auth-secrets: core-auth-secrets:
name: Critical Quality (core-auth-secrets) name: Critical Quality (core-auth-secrets)
if: ${{ github.event_name != 'workflow_dispatch' || inputs.profile == 'all' }} if: ${{ github.event_name != 'pull_request' && (github.event_name != 'workflow_dispatch' || inputs.profile == 'all') }}
runs-on: blacksmith-4vcpu-ubuntu-2404 runs-on: blacksmith-4vcpu-ubuntu-2404
timeout-minutes: 25 timeout-minutes: 25
steps: steps:
@@ -54,7 +64,7 @@ jobs:
config-boundary: config-boundary:
name: Critical Quality (config-boundary) name: Critical Quality (config-boundary)
if: ${{ github.event_name != 'workflow_dispatch' || inputs.profile == 'all' }} if: ${{ github.event_name != 'pull_request' && (github.event_name != 'workflow_dispatch' || inputs.profile == 'all') }}
runs-on: blacksmith-4vcpu-ubuntu-2404 runs-on: blacksmith-4vcpu-ubuntu-2404
timeout-minutes: 25 timeout-minutes: 25
steps: steps:
@@ -76,7 +86,7 @@ jobs:
gateway-runtime-boundary: gateway-runtime-boundary:
name: Critical Quality (gateway-runtime-boundary) name: Critical Quality (gateway-runtime-boundary)
if: ${{ github.event_name != 'workflow_dispatch' || inputs.profile == 'all' }} if: ${{ github.event_name != 'pull_request' && (github.event_name != 'workflow_dispatch' || inputs.profile == 'all') }}
runs-on: blacksmith-4vcpu-ubuntu-2404 runs-on: blacksmith-4vcpu-ubuntu-2404
timeout-minutes: 25 timeout-minutes: 25
steps: steps:
@@ -98,7 +108,7 @@ jobs:
channel-runtime-boundary: channel-runtime-boundary:
name: Critical Quality (channel-runtime-boundary) name: Critical Quality (channel-runtime-boundary)
if: ${{ github.event_name != 'workflow_dispatch' || inputs.profile == 'all' }} if: ${{ github.event_name != 'pull_request' && (github.event_name != 'workflow_dispatch' || inputs.profile == 'all') }}
runs-on: blacksmith-4vcpu-ubuntu-2404 runs-on: blacksmith-4vcpu-ubuntu-2404
timeout-minutes: 25 timeout-minutes: 25
steps: steps:
@@ -120,7 +130,7 @@ jobs:
agent-runtime-boundary: agent-runtime-boundary:
name: Critical Quality (agent-runtime-boundary) name: Critical Quality (agent-runtime-boundary)
if: ${{ github.event_name != 'workflow_dispatch' || inputs.profile == 'all' }} if: ${{ github.event_name != 'pull_request' && (github.event_name != 'workflow_dispatch' || inputs.profile == 'all') }}
runs-on: blacksmith-4vcpu-ubuntu-2404 runs-on: blacksmith-4vcpu-ubuntu-2404
timeout-minutes: 25 timeout-minutes: 25
steps: steps:
@@ -142,7 +152,7 @@ jobs:
mcp-process-runtime-boundary: mcp-process-runtime-boundary:
name: Critical Quality (mcp-process-runtime-boundary) name: Critical Quality (mcp-process-runtime-boundary)
if: ${{ github.event_name != 'workflow_dispatch' || inputs.profile == 'all' }} if: ${{ github.event_name != 'pull_request' && (github.event_name != 'workflow_dispatch' || inputs.profile == 'all') }}
runs-on: blacksmith-4vcpu-ubuntu-2404 runs-on: blacksmith-4vcpu-ubuntu-2404
timeout-minutes: 25 timeout-minutes: 25
steps: steps:
@@ -164,7 +174,7 @@ jobs:
memory-runtime-boundary: memory-runtime-boundary:
name: Critical Quality (memory-runtime-boundary) name: Critical Quality (memory-runtime-boundary)
if: ${{ github.event_name != 'workflow_dispatch' || inputs.profile == 'all' }} if: ${{ github.event_name != 'pull_request' && (github.event_name != 'workflow_dispatch' || inputs.profile == 'all') }}
runs-on: blacksmith-4vcpu-ubuntu-2404 runs-on: blacksmith-4vcpu-ubuntu-2404
timeout-minutes: 25 timeout-minutes: 25
steps: steps:
@@ -186,7 +196,7 @@ jobs:
session-diagnostics-boundary: session-diagnostics-boundary:
name: Critical Quality (session-diagnostics-boundary) name: Critical Quality (session-diagnostics-boundary)
if: ${{ github.event_name != 'workflow_dispatch' || inputs.profile == 'all' || inputs.profile == 'session-diagnostics-boundary' }} if: ${{ github.event_name != 'pull_request' && (github.event_name != 'workflow_dispatch' || inputs.profile == 'all' || inputs.profile == 'session-diagnostics-boundary') }}
runs-on: blacksmith-4vcpu-ubuntu-2404 runs-on: blacksmith-4vcpu-ubuntu-2404
timeout-minutes: 25 timeout-minutes: 25
steps: steps:
@@ -208,7 +218,7 @@ jobs:
plugin-sdk-reply-runtime: plugin-sdk-reply-runtime:
name: Critical Quality (plugin-sdk-reply-runtime) name: Critical Quality (plugin-sdk-reply-runtime)
if: ${{ github.event_name != 'workflow_dispatch' || inputs.profile == 'all' || inputs.profile == 'plugin-sdk-reply-runtime' }} if: ${{ github.event_name != 'pull_request' && (github.event_name != 'workflow_dispatch' || inputs.profile == 'all' || inputs.profile == 'plugin-sdk-reply-runtime') }}
runs-on: blacksmith-4vcpu-ubuntu-2404 runs-on: blacksmith-4vcpu-ubuntu-2404
timeout-minutes: 25 timeout-minutes: 25
steps: steps:
@@ -230,7 +240,7 @@ jobs:
provider-runtime-boundary: provider-runtime-boundary:
name: Critical Quality (provider-runtime-boundary) name: Critical Quality (provider-runtime-boundary)
if: ${{ github.event_name != 'workflow_dispatch' || inputs.profile == 'all' || inputs.profile == 'provider-runtime-boundary' }} if: ${{ github.event_name != 'pull_request' && (github.event_name != 'workflow_dispatch' || inputs.profile == 'all' || inputs.profile == 'provider-runtime-boundary') }}
runs-on: blacksmith-4vcpu-ubuntu-2404 runs-on: blacksmith-4vcpu-ubuntu-2404
timeout-minutes: 25 timeout-minutes: 25
steps: steps:
@@ -252,7 +262,7 @@ jobs:
ui-control-plane: ui-control-plane:
name: Critical Quality (ui-control-plane) name: Critical Quality (ui-control-plane)
if: ${{ github.event_name != 'workflow_dispatch' || inputs.profile == 'all' }} if: ${{ github.event_name != 'pull_request' && (github.event_name != 'workflow_dispatch' || inputs.profile == 'all') }}
runs-on: blacksmith-4vcpu-ubuntu-2404 runs-on: blacksmith-4vcpu-ubuntu-2404
timeout-minutes: 25 timeout-minutes: 25
steps: steps:
@@ -274,7 +284,7 @@ jobs:
web-media-runtime-boundary: web-media-runtime-boundary:
name: Critical Quality (web-media-runtime-boundary) name: Critical Quality (web-media-runtime-boundary)
if: ${{ github.event_name != 'workflow_dispatch' || inputs.profile == 'all' }} if: ${{ github.event_name != 'pull_request' && (github.event_name != 'workflow_dispatch' || inputs.profile == 'all') }}
runs-on: blacksmith-4vcpu-ubuntu-2404 runs-on: blacksmith-4vcpu-ubuntu-2404
timeout-minutes: 25 timeout-minutes: 25
steps: steps:
@@ -296,7 +306,7 @@ jobs:
plugin-boundary: plugin-boundary:
name: Critical Quality (plugin-boundary) name: Critical Quality (plugin-boundary)
if: ${{ github.event_name != 'workflow_dispatch' || inputs.profile == 'all' }} if: ${{ (github.event_name != 'pull_request' || !github.event.pull_request.draft) && (github.event_name == 'pull_request' || github.event_name != 'workflow_dispatch' || inputs.profile == 'all' || inputs.profile == 'plugin-boundary') }}
runs-on: blacksmith-4vcpu-ubuntu-2404 runs-on: blacksmith-4vcpu-ubuntu-2404
timeout-minutes: 25 timeout-minutes: 25
steps: steps:
@@ -318,7 +328,7 @@ jobs:
plugin-sdk-package-contract: plugin-sdk-package-contract:
name: Critical Quality (plugin-sdk-package-contract) name: Critical Quality (plugin-sdk-package-contract)
if: ${{ github.event_name != 'workflow_dispatch' || inputs.profile == 'all' || inputs.profile == 'plugin-sdk-package-contract' }} if: ${{ (github.event_name != 'pull_request' || !github.event.pull_request.draft) && (github.event_name == 'pull_request' || github.event_name != 'workflow_dispatch' || inputs.profile == 'all' || inputs.profile == 'plugin-sdk-package-contract') }}
runs-on: blacksmith-4vcpu-ubuntu-2404 runs-on: blacksmith-4vcpu-ubuntu-2404
timeout-minutes: 25 timeout-minutes: 25
steps: steps:

6
.github/workflows/codeql.yml vendored
View File

@@ -35,8 +35,8 @@ permissions:
security-events: write security-events: write
jobs: jobs:
critical-security: security-high:
name: Critical Security (${{ matrix.category }}) name: Security High (${{ matrix.category }})
if: ${{ (github.event_name != 'pull_request' || !github.event.pull_request.draft) && (github.event_name != 'workflow_dispatch' || inputs.profile == 'all' || inputs.profile == 'security') }} if: ${{ (github.event_name != 'pull_request' || !github.event.pull_request.draft) && (github.event_name != 'workflow_dispatch' || inputs.profile == 'all' || inputs.profile == 'security') }}
runs-on: ${{ matrix.runs_on }} runs-on: ${{ matrix.runs_on }}
timeout-minutes: ${{ matrix.timeout_minutes }} timeout-minutes: ${{ matrix.timeout_minutes }}
@@ -89,4 +89,4 @@ jobs:
- name: Analyze - name: Analyze
uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4 uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
with: with:
category: "/codeql-critical-security/${{ matrix.category }}" category: "/codeql-security-high/${{ matrix.category }}"

30
docs/ci.md
View File

@@ -258,30 +258,31 @@ or overlapping changed hunks.
The `CodeQL` workflow is intentionally a narrow first-pass security scanner, The `CodeQL` workflow is intentionally a narrow first-pass security scanner,
not the full repository sweep. Daily, manual, and non-draft pull request guard not the full repository sweep. Daily, manual, and non-draft pull request guard
runs scan Actions workflow code plus the highest-risk JavaScript/TypeScript runs scan Actions workflow code plus the highest-risk JavaScript/TypeScript
auth, secrets, sandbox, cron, and gateway surfaces with high-precision security auth, secrets, sandbox, cron, and gateway surfaces with high-confidence security
queries under the `/codeql-critical-security/core-auth-secrets` category. The queries filtered to high/critical `security-severity` under the
`/codeql-security-high/core-auth-secrets` category. The
channel-runtime-boundary job separately scans core channel implementation channel-runtime-boundary job separately scans core channel implementation
contracts plus the channel plugin runtime, gateway, Plugin SDK, secrets, and contracts plus the channel plugin runtime, gateway, Plugin SDK, secrets, and
audit touchpoints under the `/codeql-critical-security/channel-runtime-boundary` audit touchpoints under the `/codeql-security-high/channel-runtime-boundary`
category so channel security signal can scale without broadening the baseline category so channel security signal can scale without broadening the baseline
auth/secrets category. The network-ssrf-boundary job scans core SSRF, IP parsing, auth/secrets category. The network-ssrf-boundary job scans core SSRF, IP parsing,
network guard, web-fetch, and Plugin SDK SSRF policy surfaces under the network guard, web-fetch, and Plugin SDK SSRF policy surfaces under the
`/codeql-critical-security/network-ssrf-boundary` category so network trust `/codeql-security-high/network-ssrf-boundary` category so network trust boundary
boundary signal stays separate from the auth/secrets security baseline. signal stays separate from the auth/secrets security baseline.
The mcp-process-tool-boundary job scans MCP servers, process execution helpers, The mcp-process-tool-boundary job scans MCP servers, process execution helpers,
outbound delivery, and agent tool-execution gates under the outbound delivery, and agent tool-execution gates under the
`/codeql-critical-security/mcp-process-tool-boundary` category so command and `/codeql-security-high/mcp-process-tool-boundary` category so command and tool
tool boundary signal stays separate from both the auth/secrets baseline and boundary signal stays separate from both the auth/secrets baseline and the
the non-security MCP/process quality shard. The plugin-trust-boundary job scans non-security MCP/process quality shard. The plugin-trust-boundary job scans
plugin install, loader, manifest, registry, runtime-dependency staging, plugin install, loader, manifest, registry, runtime-dependency staging,
source-loading, public-surface, and Plugin SDK package contract trust surfaces source-loading, public-surface, and Plugin SDK package contract trust surfaces
under the `/codeql-critical-security/plugin-trust-boundary` category so plugin under the `/codeql-security-high/plugin-trust-boundary` category so plugin
supply-chain and runtime-loading signal stays separate from both bundled plugin supply-chain and runtime-loading signal stays separate from both bundled plugin
implementation code and the non-security plugin quality shard. implementation code and the non-security plugin quality shard.
The pull request guard stays light: it only starts for changes under The pull request guard stays light: it only starts for changes under
`.github/actions`, `.github/codeql`, `.github/workflows`, `packages`, or `src`, `.github/actions`, `.github/codeql`, `.github/workflows`, `packages`, or `src`,
and it runs the same critical-security matrix as the scheduled workflow. Android, and it runs the same high-confidence security matrix as the scheduled workflow.
macOS, and non-security quality CodeQL stay out of PR defaults. Android and macOS CodeQL stay out of PR defaults.
The `CodeQL Android Critical Security` workflow is the scheduled Android The `CodeQL Android Critical Security` workflow is the scheduled Android
security shard. It builds the Android app manually for CodeQL on the smallest security shard. It builds the Android app manually for CodeQL on the smallest
@@ -297,8 +298,11 @@ default workflow because the macOS build dominates runtime even when clean.
The `CodeQL Critical Quality` workflow is the matching non-security shard. It The `CodeQL Critical Quality` workflow is the matching non-security shard. It
runs only error-severity, non-security JavaScript/TypeScript quality queries runs only error-severity, non-security JavaScript/TypeScript quality queries
over narrow high-value surfaces on the smaller Blacksmith Linux runner. Its over narrow high-value surfaces on the smaller Blacksmith Linux runner. Its
manual dispatch accepts pull request guard is intentionally smaller than the scheduled profile: non-draft
`profile=all|plugin-sdk-package-contract|plugin-sdk-reply-runtime|provider-runtime-boundary|session-diagnostics-boundary`; PRs only run the `plugin-boundary` and `plugin-sdk-package-contract` shards when
plugin loader, Plugin SDK, package-contract, CodeQL config, or quality workflow
files change. Its manual dispatch accepts
`profile=all|plugin-boundary|plugin-sdk-package-contract|plugin-sdk-reply-runtime|provider-runtime-boundary|session-diagnostics-boundary`;
the narrow profiles are teaching/iteration hooks for running one quality shard the narrow profiles are teaching/iteration hooks for running one quality shard
in isolation without dispatching the rest of the workflow. in isolation without dispatching the rest of the workflow.
Its Its