From 7d2d5f47f158ea3f7f719d0a216ca803fbae589d Mon Sep 17 00:00:00 2001
From: Peter Collins <pecolli@microsoft.com>
Date: Mon, 15 Jul 2024 12:55:14 -0400
Subject: [PATCH 1/4] [ci] Disable CodeQL on macOS and Linux build jobs

Attempt to save some build time on macOS and Linux by disabling CodeQL.
This step will still run during the Windows build job in CI, as well as
the macOS nightly build job.
---
 build-tools/automation/azure-pipelines.yaml            | 2 --
 build-tools/automation/yaml-templates/build-linux.yaml | 5 +++++
 build-tools/automation/yaml-templates/build-macos.yaml | 5 +++++
 3 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/build-tools/automation/azure-pipelines.yaml b/build-tools/automation/azure-pipelines.yaml
index ca669345f15..a66b4eb6047 100644
--- a/build-tools/automation/azure-pipelines.yaml
+++ b/build-tools/automation/azure-pipelines.yaml
@@ -73,8 +73,6 @@ extends:
         enableAllTools: false
       binskim:
         scanOutputDirectoryOnly: true
-      codeql:
-        runSourceLanguagesInSourceAnalysis: true
       policheck:
         enabled: false
         justification: Built in task does not support multi-language scanning
diff --git a/build-tools/automation/yaml-templates/build-linux.yaml b/build-tools/automation/yaml-templates/build-linux.yaml
index f34a25ba776..796b5fe5df0 100644
--- a/build-tools/automation/yaml-templates/build-linux.yaml
+++ b/build-tools/automation/yaml-templates/build-linux.yaml
@@ -35,6 +35,11 @@ stages:
       CC: gcc-10
     ${{ if eq(parameters.use1ESTemplate, true) }}:
       templateContext:
+        sdl:
+          codeql:
+            compiled:
+              enabled: false
+              justificationForDisabling: CodeQL runs against the Windows build and nightly macOS build
         outputs:
         - output: pipelineArtifact
           displayName: upload linux sdk
diff --git a/build-tools/automation/yaml-templates/build-macos.yaml b/build-tools/automation/yaml-templates/build-macos.yaml
index c279a6752ba..eafc4c7499d 100644
--- a/build-tools/automation/yaml-templates/build-macos.yaml
+++ b/build-tools/automation/yaml-templates/build-macos.yaml
@@ -43,6 +43,11 @@ stages:
       clean: all
     ${{ if eq(parameters.use1ESTemplate, true) }}:
       templateContext:
+        sdl:
+          codeql:
+            compiled:
+              enabled: false
+              justificationForDisabling: CodeQL runs against the Windows build and nightly macOS build
         outputParentDirectory: ${{ parameters.xaSourcePath }}/bin
         outputs:
         - output: pipelineArtifact

From de74a47fb08f7b998a5fa06393e5b211b1a26bd4 Mon Sep 17 00:00:00 2001
From: Peter Collins <pecolli@microsoft.com>
Date: Mon, 15 Jul 2024 14:01:12 -0400
Subject: [PATCH 2/4] Try disabled by default

---
 build-tools/automation/azure-pipelines.yaml              | 4 ++++
 build-tools/automation/yaml-templates/build-linux.yaml   | 5 -----
 build-tools/automation/yaml-templates/build-macos.yaml   | 5 -----
 build-tools/automation/yaml-templates/build-windows.yaml | 5 +++++
 4 files changed, 9 insertions(+), 10 deletions(-)

diff --git a/build-tools/automation/azure-pipelines.yaml b/build-tools/automation/azure-pipelines.yaml
index a66b4eb6047..2d8fd5b51d6 100644
--- a/build-tools/automation/azure-pipelines.yaml
+++ b/build-tools/automation/azure-pipelines.yaml
@@ -73,6 +73,10 @@ extends:
         enableAllTools: false
       binskim:
         scanOutputDirectoryOnly: true
+      codeql:
+        compiled:
+          enabled: false
+          justificationForDisabling: CodeQL runs against the Windows build and nightly macOS build
       policheck:
         enabled: false
         justification: Built in task does not support multi-language scanning
diff --git a/build-tools/automation/yaml-templates/build-linux.yaml b/build-tools/automation/yaml-templates/build-linux.yaml
index 796b5fe5df0..f34a25ba776 100644
--- a/build-tools/automation/yaml-templates/build-linux.yaml
+++ b/build-tools/automation/yaml-templates/build-linux.yaml
@@ -35,11 +35,6 @@ stages:
       CC: gcc-10
     ${{ if eq(parameters.use1ESTemplate, true) }}:
       templateContext:
-        sdl:
-          codeql:
-            compiled:
-              enabled: false
-              justificationForDisabling: CodeQL runs against the Windows build and nightly macOS build
         outputs:
         - output: pipelineArtifact
           displayName: upload linux sdk
diff --git a/build-tools/automation/yaml-templates/build-macos.yaml b/build-tools/automation/yaml-templates/build-macos.yaml
index eafc4c7499d..c279a6752ba 100644
--- a/build-tools/automation/yaml-templates/build-macos.yaml
+++ b/build-tools/automation/yaml-templates/build-macos.yaml
@@ -43,11 +43,6 @@ stages:
       clean: all
     ${{ if eq(parameters.use1ESTemplate, true) }}:
       templateContext:
-        sdl:
-          codeql:
-            compiled:
-              enabled: false
-              justificationForDisabling: CodeQL runs against the Windows build and nightly macOS build
         outputParentDirectory: ${{ parameters.xaSourcePath }}/bin
         outputs:
         - output: pipelineArtifact
diff --git a/build-tools/automation/yaml-templates/build-windows.yaml b/build-tools/automation/yaml-templates/build-windows.yaml
index 067c9d0a4a0..665d4dfda14 100644
--- a/build-tools/automation/yaml-templates/build-windows.yaml
+++ b/build-tools/automation/yaml-templates/build-windows.yaml
@@ -27,6 +27,11 @@ stages:
       image: $(WindowsPoolImage1ESPT)
       os: windows
     timeoutInMinutes: 240
+    templateContext:
+      sdl:
+        codeql:
+          compiled:
+            enabled: true
     steps:
     - template: sdk-unified/steps/checkout/v1.yml@yaml-templates
       parameters:

From 2ada50086dff75e482799a1b8f3b3df4ea7e4427 Mon Sep 17 00:00:00 2001
From: Peter Collins <pecolli@microsoft.com>
Date: Mon, 15 Jul 2024 14:34:42 -0400
Subject: [PATCH 3/4] Revert "Try disabled by default"

This reverts commit de74a47fb08f7b998a5fa06393e5b211b1a26bd4.
---
 build-tools/automation/azure-pipelines.yaml              | 4 ----
 build-tools/automation/yaml-templates/build-linux.yaml   | 5 +++++
 build-tools/automation/yaml-templates/build-macos.yaml   | 5 +++++
 build-tools/automation/yaml-templates/build-windows.yaml | 5 -----
 4 files changed, 10 insertions(+), 9 deletions(-)

diff --git a/build-tools/automation/azure-pipelines.yaml b/build-tools/automation/azure-pipelines.yaml
index 2d8fd5b51d6..a66b4eb6047 100644
--- a/build-tools/automation/azure-pipelines.yaml
+++ b/build-tools/automation/azure-pipelines.yaml
@@ -73,10 +73,6 @@ extends:
         enableAllTools: false
       binskim:
         scanOutputDirectoryOnly: true
-      codeql:
-        compiled:
-          enabled: false
-          justificationForDisabling: CodeQL runs against the Windows build and nightly macOS build
       policheck:
         enabled: false
         justification: Built in task does not support multi-language scanning
diff --git a/build-tools/automation/yaml-templates/build-linux.yaml b/build-tools/automation/yaml-templates/build-linux.yaml
index f34a25ba776..796b5fe5df0 100644
--- a/build-tools/automation/yaml-templates/build-linux.yaml
+++ b/build-tools/automation/yaml-templates/build-linux.yaml
@@ -35,6 +35,11 @@ stages:
       CC: gcc-10
     ${{ if eq(parameters.use1ESTemplate, true) }}:
       templateContext:
+        sdl:
+          codeql:
+            compiled:
+              enabled: false
+              justificationForDisabling: CodeQL runs against the Windows build and nightly macOS build
         outputs:
         - output: pipelineArtifact
           displayName: upload linux sdk
diff --git a/build-tools/automation/yaml-templates/build-macos.yaml b/build-tools/automation/yaml-templates/build-macos.yaml
index c279a6752ba..eafc4c7499d 100644
--- a/build-tools/automation/yaml-templates/build-macos.yaml
+++ b/build-tools/automation/yaml-templates/build-macos.yaml
@@ -43,6 +43,11 @@ stages:
       clean: all
     ${{ if eq(parameters.use1ESTemplate, true) }}:
       templateContext:
+        sdl:
+          codeql:
+            compiled:
+              enabled: false
+              justificationForDisabling: CodeQL runs against the Windows build and nightly macOS build
         outputParentDirectory: ${{ parameters.xaSourcePath }}/bin
         outputs:
         - output: pipelineArtifact
diff --git a/build-tools/automation/yaml-templates/build-windows.yaml b/build-tools/automation/yaml-templates/build-windows.yaml
index 665d4dfda14..067c9d0a4a0 100644
--- a/build-tools/automation/yaml-templates/build-windows.yaml
+++ b/build-tools/automation/yaml-templates/build-windows.yaml
@@ -27,11 +27,6 @@ stages:
       image: $(WindowsPoolImage1ESPT)
       os: windows
     timeoutInMinutes: 240
-    templateContext:
-      sdl:
-        codeql:
-          compiled:
-            enabled: true
     steps:
     - template: sdk-unified/steps/checkout/v1.yml@yaml-templates
       parameters:

From 4100b5ac03c148a3dc76df9bf5f915479f336008 Mon Sep 17 00:00:00 2001
From: Peter Collins <pecolli@microsoft.com>
Date: Mon, 15 Jul 2024 14:50:50 -0400
Subject: [PATCH 4/4] Ensure CodeQL only runs on main

---
 build-tools/automation/azure-pipelines.yaml | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/build-tools/automation/azure-pipelines.yaml b/build-tools/automation/azure-pipelines.yaml
index a66b4eb6047..6d269e1fc73 100644
--- a/build-tools/automation/azure-pipelines.yaml
+++ b/build-tools/automation/azure-pipelines.yaml
@@ -73,6 +73,11 @@ extends:
         enableAllTools: false
       binskim:
         scanOutputDirectoryOnly: true
+      codeql:
+        ${{ if ne(variables['Build.SourceBranch'], 'refs/heads/main') }}:
+          compiled:
+            enabled: false
+            justificationForDisabling: CodeQL disabled for non-main branch builds
       policheck:
         enabled: false
         justification: Built in task does not support multi-language scanning