mirror of
https://github.com/moltbot/moltbot.git
synced 2026-05-07 07:58:36 +00:00
eea964330c
Adds the gateway runtime quality shard to the PR CodeQL guard, keeps PR quality analysis path-sharded by surface, and documents the shard selector behavior.
414 lines
16 KiB
YAML
414 lines
16 KiB
YAML
name: CodeQL Critical Quality
|
|
|
|
on:
|
|
workflow_dispatch:
|
|
inputs:
|
|
profile:
|
|
description: CodeQL quality profile to run
|
|
required: false
|
|
default: all
|
|
type: choice
|
|
options:
|
|
- all
|
|
- gateway-runtime-boundary
|
|
- plugin-boundary
|
|
- plugin-sdk-package-contract
|
|
- plugin-sdk-reply-runtime
|
|
- provider-runtime-boundary
|
|
- session-diagnostics-boundary
|
|
pull_request:
|
|
types: [opened, synchronize, reopened, ready_for_review]
|
|
paths:
|
|
- ".github/codeql/**"
|
|
- ".github/workflows/codeql-critical-quality.yml"
|
|
- "packages/plugin-package-contract/**"
|
|
- "packages/plugin-sdk/**"
|
|
- "src/gateway/method-scopes.ts"
|
|
- "src/gateway/protocol/**"
|
|
- "src/gateway/server-methods/**"
|
|
- "src/gateway/server-methods.ts"
|
|
- "src/gateway/server-methods-list.ts"
|
|
- "src/plugin-sdk/**"
|
|
- "src/plugins/**"
|
|
schedule:
|
|
- cron: "30 6 * * *"
|
|
|
|
concurrency:
|
|
group: codeql-critical-quality-${{ github.workflow }}-${{ github.event_name == 'workflow_dispatch' && github.run_id || github.event_name == 'pull_request' && github.event.pull_request.number || github.sha }}
|
|
cancel-in-progress: ${{ github.event_name == 'pull_request' }}
|
|
|
|
env:
|
|
FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: "true"
|
|
|
|
permissions:
|
|
actions: read
|
|
contents: read
|
|
pull-requests: read
|
|
security-events: write
|
|
|
|
jobs:
|
|
quality-shards:
|
|
name: Select Critical Quality shards
|
|
runs-on: blacksmith-4vcpu-ubuntu-2404
|
|
timeout-minutes: 5
|
|
outputs:
|
|
gateway: ${{ steps.detect.outputs.gateway }}
|
|
plugin: ${{ steps.detect.outputs.plugin }}
|
|
plugin_sdk_package: ${{ steps.detect.outputs.plugin_sdk_package }}
|
|
steps:
|
|
- name: Detect PR shard paths
|
|
id: detect
|
|
env:
|
|
EVENT_NAME: ${{ github.event_name }}
|
|
GH_TOKEN: ${{ github.token }}
|
|
PR_NUMBER: ${{ github.event.pull_request.number }}
|
|
REPOSITORY: ${{ github.repository }}
|
|
run: |
|
|
set -euo pipefail
|
|
|
|
gateway=false
|
|
plugin=false
|
|
plugin_sdk_package=false
|
|
|
|
if [[ "${EVENT_NAME}" != "pull_request" ]]; then
|
|
gateway=true
|
|
plugin=true
|
|
plugin_sdk_package=true
|
|
else
|
|
while IFS= read -r file; do
|
|
case "${file}" in
|
|
.github/codeql/*|.github/workflows/codeql-critical-quality.yml)
|
|
gateway=true
|
|
plugin=true
|
|
plugin_sdk_package=true
|
|
;;
|
|
src/gateway/method-scopes.ts|src/gateway/protocol/*|src/gateway/server-methods/*|src/gateway/server-methods.ts|src/gateway/server-methods-list.ts)
|
|
gateway=true
|
|
;;
|
|
src/plugin-sdk/*|src/plugins/*)
|
|
plugin=true
|
|
;;
|
|
packages/plugin-package-contract/*|packages/plugin-sdk/*|src/plugin-sdk/*)
|
|
plugin_sdk_package=true
|
|
;;
|
|
esac
|
|
done < <(gh api --paginate "repos/${REPOSITORY}/pulls/${PR_NUMBER}/files" --jq '.[].filename')
|
|
fi
|
|
|
|
{
|
|
echo "gateway=${gateway}"
|
|
echo "plugin=${plugin}"
|
|
echo "plugin_sdk_package=${plugin_sdk_package}"
|
|
} >> "${GITHUB_OUTPUT}"
|
|
|
|
core-auth-secrets:
|
|
name: Critical Quality (core-auth-secrets)
|
|
if: ${{ github.event_name != 'pull_request' && (github.event_name != 'workflow_dispatch' || inputs.profile == 'all') }}
|
|
runs-on: blacksmith-4vcpu-ubuntu-2404
|
|
timeout-minutes: 25
|
|
steps:
|
|
- name: Checkout
|
|
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
|
|
with:
|
|
submodules: false
|
|
|
|
- name: Initialize CodeQL
|
|
uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
|
|
with:
|
|
languages: javascript-typescript
|
|
config-file: ./.github/codeql/codeql-core-auth-secrets-critical-quality.yml
|
|
|
|
- name: Analyze
|
|
uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
|
|
with:
|
|
category: "/codeql-critical-quality/core-auth-secrets"
|
|
|
|
config-boundary:
|
|
name: Critical Quality (config-boundary)
|
|
if: ${{ github.event_name != 'pull_request' && (github.event_name != 'workflow_dispatch' || inputs.profile == 'all') }}
|
|
runs-on: blacksmith-4vcpu-ubuntu-2404
|
|
timeout-minutes: 25
|
|
steps:
|
|
- name: Checkout
|
|
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
|
|
with:
|
|
submodules: false
|
|
|
|
- name: Initialize CodeQL
|
|
uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
|
|
with:
|
|
languages: javascript-typescript
|
|
config-file: ./.github/codeql/codeql-config-boundary-critical-quality.yml
|
|
|
|
- name: Analyze
|
|
uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
|
|
with:
|
|
category: "/codeql-critical-quality/config-boundary"
|
|
|
|
gateway-runtime-boundary:
|
|
name: Critical Quality (gateway-runtime-boundary)
|
|
needs: quality-shards
|
|
if: ${{ needs.quality-shards.outputs.gateway == 'true' && (github.event_name != 'pull_request' || !github.event.pull_request.draft) && (github.event_name == 'pull_request' || github.event_name != 'workflow_dispatch' || inputs.profile == 'all' || inputs.profile == 'gateway-runtime-boundary') }}
|
|
runs-on: blacksmith-4vcpu-ubuntu-2404
|
|
timeout-minutes: 25
|
|
steps:
|
|
- name: Checkout
|
|
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
|
|
with:
|
|
submodules: false
|
|
|
|
- name: Initialize CodeQL
|
|
uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
|
|
with:
|
|
languages: javascript-typescript
|
|
config-file: ./.github/codeql/codeql-gateway-runtime-boundary-critical-quality.yml
|
|
|
|
- name: Analyze
|
|
uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
|
|
with:
|
|
category: "/codeql-critical-quality/gateway-runtime-boundary"
|
|
|
|
channel-runtime-boundary:
|
|
name: Critical Quality (channel-runtime-boundary)
|
|
if: ${{ github.event_name != 'pull_request' && (github.event_name != 'workflow_dispatch' || inputs.profile == 'all') }}
|
|
runs-on: blacksmith-4vcpu-ubuntu-2404
|
|
timeout-minutes: 25
|
|
steps:
|
|
- name: Checkout
|
|
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
|
|
with:
|
|
submodules: false
|
|
|
|
- name: Initialize CodeQL
|
|
uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
|
|
with:
|
|
languages: javascript-typescript
|
|
config-file: ./.github/codeql/codeql-channel-runtime-boundary-critical-quality.yml
|
|
|
|
- name: Analyze
|
|
uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
|
|
with:
|
|
category: "/codeql-critical-quality/channel-runtime-boundary"
|
|
|
|
agent-runtime-boundary:
|
|
name: Critical Quality (agent-runtime-boundary)
|
|
if: ${{ github.event_name != 'pull_request' && (github.event_name != 'workflow_dispatch' || inputs.profile == 'all') }}
|
|
runs-on: blacksmith-4vcpu-ubuntu-2404
|
|
timeout-minutes: 25
|
|
steps:
|
|
- name: Checkout
|
|
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
|
|
with:
|
|
submodules: false
|
|
|
|
- name: Initialize CodeQL
|
|
uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
|
|
with:
|
|
languages: javascript-typescript
|
|
config-file: ./.github/codeql/codeql-agent-runtime-boundary-critical-quality.yml
|
|
|
|
- name: Analyze
|
|
uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
|
|
with:
|
|
category: "/codeql-critical-quality/agent-runtime-boundary"
|
|
|
|
mcp-process-runtime-boundary:
|
|
name: Critical Quality (mcp-process-runtime-boundary)
|
|
if: ${{ github.event_name != 'pull_request' && (github.event_name != 'workflow_dispatch' || inputs.profile == 'all') }}
|
|
runs-on: blacksmith-4vcpu-ubuntu-2404
|
|
timeout-minutes: 25
|
|
steps:
|
|
- name: Checkout
|
|
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
|
|
with:
|
|
submodules: false
|
|
|
|
- name: Initialize CodeQL
|
|
uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
|
|
with:
|
|
languages: javascript-typescript
|
|
config-file: ./.github/codeql/codeql-mcp-process-runtime-boundary-critical-quality.yml
|
|
|
|
- name: Analyze
|
|
uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
|
|
with:
|
|
category: "/codeql-critical-quality/mcp-process-runtime-boundary"
|
|
|
|
memory-runtime-boundary:
|
|
name: Critical Quality (memory-runtime-boundary)
|
|
if: ${{ github.event_name != 'pull_request' && (github.event_name != 'workflow_dispatch' || inputs.profile == 'all') }}
|
|
runs-on: blacksmith-4vcpu-ubuntu-2404
|
|
timeout-minutes: 25
|
|
steps:
|
|
- name: Checkout
|
|
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
|
|
with:
|
|
submodules: false
|
|
|
|
- name: Initialize CodeQL
|
|
uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
|
|
with:
|
|
languages: javascript-typescript
|
|
config-file: ./.github/codeql/codeql-memory-runtime-boundary-critical-quality.yml
|
|
|
|
- name: Analyze
|
|
uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
|
|
with:
|
|
category: "/codeql-critical-quality/memory-runtime-boundary"
|
|
|
|
session-diagnostics-boundary:
|
|
name: Critical Quality (session-diagnostics-boundary)
|
|
if: ${{ github.event_name != 'pull_request' && (github.event_name != 'workflow_dispatch' || inputs.profile == 'all' || inputs.profile == 'session-diagnostics-boundary') }}
|
|
runs-on: blacksmith-4vcpu-ubuntu-2404
|
|
timeout-minutes: 25
|
|
steps:
|
|
- name: Checkout
|
|
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
|
|
with:
|
|
submodules: false
|
|
|
|
- name: Initialize CodeQL
|
|
uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
|
|
with:
|
|
languages: javascript-typescript
|
|
config-file: ./.github/codeql/codeql-session-diagnostics-boundary-critical-quality.yml
|
|
|
|
- name: Analyze
|
|
uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
|
|
with:
|
|
category: "/codeql-critical-quality/session-diagnostics-boundary"
|
|
|
|
plugin-sdk-reply-runtime:
|
|
name: Critical Quality (plugin-sdk-reply-runtime)
|
|
if: ${{ github.event_name != 'pull_request' && (github.event_name != 'workflow_dispatch' || inputs.profile == 'all' || inputs.profile == 'plugin-sdk-reply-runtime') }}
|
|
runs-on: blacksmith-4vcpu-ubuntu-2404
|
|
timeout-minutes: 25
|
|
steps:
|
|
- name: Checkout
|
|
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
|
|
with:
|
|
submodules: false
|
|
|
|
- name: Initialize CodeQL
|
|
uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
|
|
with:
|
|
languages: javascript-typescript
|
|
config-file: ./.github/codeql/codeql-plugin-sdk-reply-runtime-critical-quality.yml
|
|
|
|
- name: Analyze
|
|
uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
|
|
with:
|
|
category: "/codeql-critical-quality/plugin-sdk-reply-runtime"
|
|
|
|
provider-runtime-boundary:
|
|
name: Critical Quality (provider-runtime-boundary)
|
|
if: ${{ github.event_name != 'pull_request' && (github.event_name != 'workflow_dispatch' || inputs.profile == 'all' || inputs.profile == 'provider-runtime-boundary') }}
|
|
runs-on: blacksmith-4vcpu-ubuntu-2404
|
|
timeout-minutes: 25
|
|
steps:
|
|
- name: Checkout
|
|
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
|
|
with:
|
|
submodules: false
|
|
|
|
- name: Initialize CodeQL
|
|
uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
|
|
with:
|
|
languages: javascript-typescript
|
|
config-file: ./.github/codeql/codeql-provider-runtime-boundary-critical-quality.yml
|
|
|
|
- name: Analyze
|
|
uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
|
|
with:
|
|
category: "/codeql-critical-quality/provider-runtime-boundary"
|
|
|
|
ui-control-plane:
|
|
name: Critical Quality (ui-control-plane)
|
|
if: ${{ github.event_name != 'pull_request' && (github.event_name != 'workflow_dispatch' || inputs.profile == 'all') }}
|
|
runs-on: blacksmith-4vcpu-ubuntu-2404
|
|
timeout-minutes: 25
|
|
steps:
|
|
- name: Checkout
|
|
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
|
|
with:
|
|
submodules: false
|
|
|
|
- name: Initialize CodeQL
|
|
uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
|
|
with:
|
|
languages: javascript-typescript
|
|
config-file: ./.github/codeql/codeql-ui-control-plane-critical-quality.yml
|
|
|
|
- name: Analyze
|
|
uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
|
|
with:
|
|
category: "/codeql-critical-quality/ui-control-plane"
|
|
|
|
web-media-runtime-boundary:
|
|
name: Critical Quality (web-media-runtime-boundary)
|
|
if: ${{ github.event_name != 'pull_request' && (github.event_name != 'workflow_dispatch' || inputs.profile == 'all') }}
|
|
runs-on: blacksmith-4vcpu-ubuntu-2404
|
|
timeout-minutes: 25
|
|
steps:
|
|
- name: Checkout
|
|
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
|
|
with:
|
|
submodules: false
|
|
|
|
- name: Initialize CodeQL
|
|
uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
|
|
with:
|
|
languages: javascript-typescript
|
|
config-file: ./.github/codeql/codeql-web-media-runtime-boundary-critical-quality.yml
|
|
|
|
- name: Analyze
|
|
uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
|
|
with:
|
|
category: "/codeql-critical-quality/web-media-runtime-boundary"
|
|
|
|
plugin-boundary:
|
|
name: Critical Quality (plugin-boundary)
|
|
needs: quality-shards
|
|
if: ${{ needs.quality-shards.outputs.plugin == 'true' && (github.event_name != 'pull_request' || !github.event.pull_request.draft) && (github.event_name == 'pull_request' || github.event_name != 'workflow_dispatch' || inputs.profile == 'all' || inputs.profile == 'plugin-boundary') }}
|
|
runs-on: blacksmith-4vcpu-ubuntu-2404
|
|
timeout-minutes: 25
|
|
steps:
|
|
- name: Checkout
|
|
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
|
|
with:
|
|
submodules: false
|
|
|
|
- name: Initialize CodeQL
|
|
uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
|
|
with:
|
|
languages: javascript-typescript
|
|
config-file: ./.github/codeql/codeql-plugin-boundary-critical-quality.yml
|
|
|
|
- name: Analyze
|
|
uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
|
|
with:
|
|
category: "/codeql-critical-quality/plugin-boundary"
|
|
|
|
plugin-sdk-package-contract:
|
|
name: Critical Quality (plugin-sdk-package-contract)
|
|
needs: quality-shards
|
|
if: ${{ needs.quality-shards.outputs.plugin_sdk_package == 'true' && (github.event_name != 'pull_request' || !github.event.pull_request.draft) && (github.event_name == 'pull_request' || github.event_name != 'workflow_dispatch' || inputs.profile == 'all' || inputs.profile == 'plugin-sdk-package-contract') }}
|
|
runs-on: blacksmith-4vcpu-ubuntu-2404
|
|
timeout-minutes: 25
|
|
steps:
|
|
- name: Checkout
|
|
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
|
|
with:
|
|
submodules: false
|
|
|
|
- name: Initialize CodeQL
|
|
uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
|
|
with:
|
|
languages: javascript-typescript
|
|
config-file: ./.github/codeql/codeql-plugin-sdk-package-contract-critical-quality.yml
|
|
|
|
- name: Analyze
|
|
uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
|
|
with:
|
|
category: "/codeql-critical-quality/plugin-sdk-package-contract"
|