diff --git a/.openclaw-sync/source.json b/.openclaw-sync/source.json index 9c83d6fa6..cc78193d6 100644 --- a/.openclaw-sync/source.json +++ b/.openclaw-sync/source.json @@ -1,5 +1,5 @@ { "repository": "openclaw/openclaw", - "sha": "6cc6996a1c50030c93f01b2e741956da628caa66", - "syncedAt": "2026-04-28T10:14:09.833Z" + "sha": "77192572f62174aeb9d5d42e8901773aae611f50", + "syncedAt": "2026-04-28T10:15:13.091Z" } diff --git a/docs/ci.md b/docs/ci.md index edde7c58a..7f57c3c8b 100644 --- a/docs/ci.md +++ b/docs/ci.md @@ -230,14 +230,19 @@ or overlapping changed hunks. The `CodeQL` workflow is intentionally a narrow first-pass security scanner, not the full repository sweep. Daily and manual runs scan Actions workflow code plus the highest-risk JavaScript/TypeScript auth, secrets, sandbox, cron, and -gateway surfaces with high-precision security queries. macOS remains a manual -security shard so its runtime and alert quality can be tracked separately. +gateway surfaces with high-precision security queries. The `CodeQL Android Critical Security` workflow is the scheduled Android security shard. It builds the Android app manually for CodeQL on the smallest Blacksmith Linux runner label accepted by workflow sanity and uploads results under the `/codeql-critical-security/android` category. +The `CodeQL macOS Critical Security` workflow is the weekly/manual macOS +security shard. It builds the macOS app manually for CodeQL on Blacksmith macOS, +filters dependency build results out of the uploaded SARIF, and uploads results +under the `/codeql-critical-security/macos` category. Keep it outside the daily +default workflow because the macOS build dominates runtime even when clean. + The `CodeQL Critical Quality` workflow is the matching non-security shard. It runs only error-severity, non-security JavaScript/TypeScript quality queries over narrow high-value surfaces. Its baseline job scans the same auth, secrets,