From 66003200c489fbde119761a6d5c336dc1df64a12 Mon Sep 17 00:00:00 2001 From: "openclaw-docs-sync[bot]" Date: Mon, 27 Apr 2026 18:45:14 +0000 Subject: [PATCH] chore(sync): mirror docs from openclaw/openclaw@e864fd39cce49c5a0c5194b56599845d7a919c3e --- .openclaw-sync/source.json | 4 ++-- docs/ci.md | 10 ++++++++++ 2 files changed, 12 insertions(+), 2 deletions(-) diff --git a/.openclaw-sync/source.json b/.openclaw-sync/source.json index 7953e8016..50f3a8aba 100644 --- a/.openclaw-sync/source.json +++ b/.openclaw-sync/source.json @@ -1,5 +1,5 @@ { "repository": "openclaw/openclaw", - "sha": "f7797ca62b841be551b9ddaf76e32620ca14600f", - "syncedAt": "2026-04-27T18:24:38.436Z" + "sha": "e864fd39cce49c5a0c5194b56599845d7a919c3e", + "syncedAt": "2026-04-27T18:43:42.578Z" } diff --git a/docs/ci.md b/docs/ci.md index 6dee5bf16..209cebae8 100644 --- a/docs/ci.md +++ b/docs/ci.md @@ -192,6 +192,16 @@ listed PRs when `apply=true`. Before mutating GitHub, it verifies that the landed PR is merged and that each duplicate has either a shared referenced issue or overlapping changed hunks. +The `CodeQL` workflow is intentionally a narrow first-pass scanner, not the +full repository sweep. Daily and manual runs scan Actions workflow code plus the +highest-risk JavaScript/TypeScript auth, secrets, sandbox, cron, and gateway +surfaces. The critical security lane uses high-precision security queries, and +the separate critical quality lane runs only error-severity non-security +queries over the same narrow JavaScript/TypeScript surface. Swift, Android, +Python, UI, and bundled-plugin CodeQL expansion should be added back as scoped +or sharded follow-up work only after the narrow profile has stable runtime and +signal. + The `Docs Agent` workflow is an event-driven Codex maintenance lane for keeping existing docs aligned with recently landed changes. It has no pure schedule: a successful non-bot push CI run on `main` can trigger it, and manual dispatch can