diff --git a/.openclaw-sync/source.json b/.openclaw-sync/source.json index 390e2cdd5..04e38b595 100644 --- a/.openclaw-sync/source.json +++ b/.openclaw-sync/source.json @@ -1,5 +1,5 @@ { "repository": "openclaw/openclaw", - "sha": "1f006dbc5f458211d0250fc60138d3d69985cf22", - "syncedAt": "2026-04-30T01:59:58.366Z" + "sha": "8aed80d2fabf0c5de120b723215e8152445ff248", + "syncedAt": "2026-04-30T02:20:53.793Z" } diff --git a/docs/ci.md b/docs/ci.md index 3ef754560..48c423558 100644 --- a/docs/ci.md +++ b/docs/ci.md @@ -256,10 +256,10 @@ landed PR is merged and that each duplicate has either a shared referenced issue or overlapping changed hunks. The `CodeQL` workflow is intentionally a narrow first-pass security scanner, -not the full repository sweep. Daily and manual runs scan Actions workflow code -plus the highest-risk JavaScript/TypeScript auth, secrets, sandbox, cron, and -gateway surfaces with high-precision security queries under the -`/codeql-critical-security/core-auth-secrets` category. The +not the full repository sweep. Daily, manual, and non-draft pull request guard +runs scan Actions workflow code plus the highest-risk JavaScript/TypeScript +auth, secrets, sandbox, cron, and gateway surfaces with high-precision security +queries under the `/codeql-critical-security/core-auth-secrets` category. The channel-runtime-boundary job separately scans core channel implementation contracts plus the channel plugin runtime, gateway, Plugin SDK, secrets, and audit touchpoints under the `/codeql-critical-security/channel-runtime-boundary` @@ -278,6 +278,10 @@ source-loading, public-surface, and Plugin SDK package contract trust surfaces under the `/codeql-critical-security/plugin-trust-boundary` category so plugin supply-chain and runtime-loading signal stays separate from both bundled plugin implementation code and the non-security plugin quality shard. +The pull request guard stays light: it only starts for changes under +`.github/actions`, `.github/codeql`, `.github/workflows`, `packages`, or `src`, +and it runs the same critical-security matrix as the scheduled workflow. Android, +macOS, and non-security quality CodeQL stay out of PR defaults. The `CodeQL Android Critical Security` workflow is the scheduled Android security shard. It builds the Android app manually for CodeQL on the smallest