CodeQL macOS Critical Security #2
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: CodeQL macOS Critical Security | |
| on: | |
| workflow_dispatch: | |
| schedule: | |
| - cron: "0 8 * * 1" | |
| concurrency: | |
| group: codeql-macos-critical-security-${{ github.workflow }}-${{ github.event_name == 'workflow_dispatch' && github.run_id || github.sha }} | |
| cancel-in-progress: false | |
| env: | |
| FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: "true" | |
| permissions: | |
| actions: read | |
| contents: read | |
| security-events: write | |
| jobs: | |
| macos: | |
| name: Critical Security (macOS) | |
| runs-on: blacksmith-6vcpu-macos-latest | |
| timeout-minutes: 45 | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 | |
| with: | |
| submodules: false | |
| - name: Select Xcode | |
| run: | | |
| sudo xcode-select -s /Applications/Xcode_26.1.app | |
| xcodebuild -version | |
| swift --version | |
| - name: Initialize CodeQL | |
| uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4 | |
| with: | |
| languages: swift | |
| build-mode: manual | |
| config-file: ./.github/codeql/codeql-macos-critical-security.yml | |
| - name: Build macOS for CodeQL | |
| run: swift build --package-path apps/macos --product OpenClaw | |
| - name: Analyze | |
| id: analyze | |
| uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4 | |
| with: | |
| output: sarif-results | |
| upload: failure-only | |
| category: "/codeql-critical-security/macos" | |
| - name: Remove dependency build results | |
| env: | |
| SARIF_OUTPUT: sarif-results | |
| run: | | |
| set -euo pipefail | |
| shopt -s nullglob | |
| if [ ! -d "$SARIF_OUTPUT" ]; then | |
| echo "SARIF output directory not found: $SARIF_OUTPUT" >&2 | |
| exit 1 | |
| fi | |
| mkdir -p sarif-results-filtered | |
| files=("$SARIF_OUTPUT"/*.sarif) | |
| if [ "${#files[@]}" -eq 0 ]; then | |
| echo "No SARIF files found in $SARIF_OUTPUT" >&2 | |
| exit 1 | |
| fi | |
| for file in "${files[@]}"; do | |
| jq ' | |
| def in_dependency_build: | |
| ((.locations // []) | length > 0) | |
| and all(.locations[]; (.physicalLocation.artifactLocation.uri? // "") | test("^apps/macos/\\.build/")); | |
| .runs |= map(.results = ((.results // []) | map(select(in_dependency_build | not)))) | |
| ' "$file" > "sarif-results-filtered/$(basename "$file")" | |
| done | |
| - name: Upload filtered SARIF | |
| uses: github/codeql-action/upload-sarif@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4 | |
| with: | |
| sarif_file: sarif-results-filtered | |
| category: "/codeql-critical-security/macos" |