chore(sync): mirror docs from openclaw/openclaw@77192572f6

This commit is contained in:
openclaw-docs-sync[bot] 2026-04-28 10:16:45 +00:00
parent 138104856b
commit 50ab45fe43
2 changed files with 9 additions and 4 deletions

View File

@ -1,5 +1,5 @@
{
"repository": "openclaw/openclaw",
"sha": "6cc6996a1c50030c93f01b2e741956da628caa66",
"syncedAt": "2026-04-28T10:14:09.833Z"
"sha": "77192572f62174aeb9d5d42e8901773aae611f50",
"syncedAt": "2026-04-28T10:15:13.091Z"
}

View File

@ -230,14 +230,19 @@ or overlapping changed hunks.
The `CodeQL` workflow is intentionally a narrow first-pass security scanner,
not the full repository sweep. Daily and manual runs scan Actions workflow code
plus the highest-risk JavaScript/TypeScript auth, secrets, sandbox, cron, and
gateway surfaces with high-precision security queries. macOS remains a manual
security shard so its runtime and alert quality can be tracked separately.
gateway surfaces with high-precision security queries.
The `CodeQL Android Critical Security` workflow is the scheduled Android
security shard. It builds the Android app manually for CodeQL on the smallest
Blacksmith Linux runner label accepted by workflow sanity and uploads results
under the `/codeql-critical-security/android` category.
The `CodeQL macOS Critical Security` workflow is the weekly/manual macOS
security shard. It builds the macOS app manually for CodeQL on Blacksmith macOS,
filters dependency build results out of the uploaded SARIF, and uploads results
under the `/codeql-critical-security/macos` category. Keep it outside the daily
default workflow because the macOS build dominates runtime even when clean.
The `CodeQL Critical Quality` workflow is the matching non-security shard. It
runs only error-severity, non-security JavaScript/TypeScript quality queries
over narrow high-value surfaces. Its baseline job scans the same auth, secrets,