Ensure the official build files CodeQL issues (#24278)

* Enable and Disable CodeQL in the right places during the official build

* fix codeql condition

* fix syntax error

* Enable codeQL issue filing

* use parameter instead of branch to force codeql

* try to name the build better

* Update .pipelines/PowerShell-Coordinated_Packages-Official.yml

* add debugging to display name of debugging parameters

* fix spacing

* Update .pipelines/PowerShell-Coordinated_Packages-Official.yml
This commit is contained in:
Travis Plunk 2024-09-12 10:11:55 -07:00 committed by GitHub
parent 50e99a2489
commit a42e5dbd1d
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
4 changed files with 40 additions and 22 deletions

View File

@ -1,4 +1,5 @@
{
"codebaseName": "TFSMSAzure_PowerShell",
"instanceUrl": "https://msazure.visualstudio.com",
"projectName": "One",
"areaPath": "One\\MGMT\\Compute\\Powershell\\Powershell\\PowerShell Core\\pwsh",

View File

@ -1,4 +1,4 @@
name: UnifiedPackageBuild-$(Build.BuildId)
name: UnifiedPackageBuild-$(BUILD.SOURCEBRANCHNAME)-$(Build.BuildId)
trigger: none
parameters:
@ -11,19 +11,23 @@ parameters:
type: string
default: 'fromBranch'
- name: SKIP_SIGNING
displayName: Skip Signing
displayName: Debugging - Skip Signing
type: string
default: 'NO'
- name: RUN_TEST_AND_RELEASE
displayName: Run Test and Release Artifacts Stage
displayName: Debugging - Run Test and Release Artifacts Stage
type: boolean
default: true
- name: RUN_WINDOWS
displayName: Enable Windows Stage
displayName: Debugging - Enable Windows Stage
type: boolean
default: true
- name: ENABLE_MSBUILD_BINLOGS
displayName: Enable MSBuild Binary Logs
displayName: Debugging - Enable MSBuild Binary Logs
type: boolean
default: false
- name: FORCE_CODEQL
displayName: Debugging - Enable CodeQL and set cadence to 1 hour
type: boolean
default: false
@ -74,6 +78,16 @@ variables:
- group: mscodehub-feed-read-akv
- name: ENABLE_MSBUILD_BINLOGS
value: ${{ parameters.ENABLE_MSBUILD_BINLOGS }}
- ${{ if eq(parameters['FORCE_CODEQL'],'true') }}:
# Cadence is hours before CodeQL will allow a re-upload of the database
- name: CodeQL.Cadence
value: 1
- name: CODEQL_ENABLED
${{ if or(eq(variables['Build.SourceBranch'], 'refs/heads/master'), eq(parameters['FORCE_CODEQL'],'true')) }}:
value: true
${{ else }}:
value: false
extends:
template: v2/OneBranch.Official.CrossPlat.yml@onebranchTemplates
@ -91,11 +105,10 @@ extends:
enabled: false
sbom:
enabled: true
codeql:
compiled:
${{ if eq(variables['Build.SourceBranch'], 'refs/heads/master') }}:
enabled: true
${{ else }}:
enabled: false
enabled: $(CODEQL_ENABLED)
tsaEnabled: true # This enables TSA bug filing only for CodeQL 3000
credscan:
enabled: true
scanFolder: $(Build.SourcesDirectory)

View File

@ -33,9 +33,9 @@ jobs:
value: ${{ parameters.Runtime }}
- name: ob_sdl_sbom_packageName
value: 'Microsoft.Powershell.Linux.${{ parameters.Runtime }}'
- ${{ if eq(variables['Build.SourceBranch'], 'refs/heads/master') }}:
# We add this manually, so we need it disabled the OneBranch auto-injected one.
- name: ob_sdl_codeql_compiled_enabled
value: true
value: false
steps:
- checkout: self
@ -54,12 +54,14 @@ jobs:
repoRoot: $(PowerShellRoot)
- task: CodeQL3000Init@0 # Add CodeQL Init task right before your 'Build' step.
condition: eq(variables['Build.SourceBranch'], 'refs/heads/master')
condition: eq(variables['CODEQL_ENABLED'], 'true')
env:
ob_restore_phase: true # Set ob_restore_phase to run this step before '🔒 Setup Signing' step.
inputs:
Enabled: true
AnalyzeInPipeline: true
# AnalyzeInPipeline: false = upload results
# AnalyzeInPipeline: true = do not upload results
AnalyzeInPipeline: false
Language: csharp
- pwsh: |
@ -110,7 +112,7 @@ jobs:
ob_restore_phase: true # Set ob_restore_phase to run this step before '🔒 Setup Signing' step.
- task: CodeQL3000Finalize@0 # Add CodeQL Finalize task right after your 'Build' step.
condition: eq(variables['Build.SourceBranch'], 'refs/heads/master')
condition: eq(variables['CODEQL_ENABLED'], 'true')
env:
ob_restore_phase: true # Set ob_restore_phase to run this step before '🔒 Setup Signing' step.

View File

@ -34,9 +34,9 @@ jobs:
value: ${{ parameters.BuildConfiguration }}
- name: ob_sdl_sbom_packageName
value: 'Microsoft.Powershell.Windows.${{ parameters.Architecture }}'
- ${{ if eq(variables['Build.SourceBranch'], 'refs/heads/master') }}:
# We add this manually, so we need it disabled the OneBranch auto-injected one.
- name: ob_sdl_codeql_compiled_enabled
value: true
value: false
steps:
- checkout: self
@ -55,12 +55,14 @@ jobs:
repoRoot: $(PowerShellRoot)
- task: CodeQL3000Init@0 # Add CodeQL Init task right before your 'Build' step.
condition: eq(variables['Build.SourceBranch'], 'refs/heads/master')
condition: eq(variables['CODEQL_ENABLED'], 'true')
env:
ob_restore_phase: true # Set ob_restore_phase to run this step before '🔒 Setup Signing' step.
inputs:
Enabled: true
AnalyzeInPipeline: true
# AnalyzeInPipeline: false = upload results
# AnalyzeInPipeline: true = do not upload results
AnalyzeInPipeline: false
Language: csharp
- pwsh: |
@ -184,7 +186,7 @@ jobs:
ob_restore_phase: true # Set ob_restore_phase to run this step before '🔒 Setup Signing' step.
- task: CodeQL3000Finalize@0 # Add CodeQL Finalize task right after your 'Build' step.
condition: eq(variables['Build.SourceBranch'], 'refs/heads/master')
condition: eq(variables['CODEQL_ENABLED'], 'true')
env:
ob_restore_phase: true # Set ob_restore_phase to run this step before '🔒 Setup Signing' step.