[ci] Enable CodeQL on nightly build (#7522)

pjcollins · web-flow · commit acfc1efe047a · 2022-11-11T12:34:10.000-05:00
Context: https://eng.ms/docs/cloud-ai-platform/devdiv/one-engineering-system-1es/1es-docs/codeql/codeql-semmle CodeQL static analysis has been added to our nightly build job. This tool dramatically increases build times, and for complex builds like xamarin-android it should run in a separate pipeline that is not time sensitive. CodeQL will only run against commits to the main branch.
diff --git a/build-tools/automation/azure-pipelines-nightly.yaml b/build-tools/automation/azure-pipelines-nightly.yaml
@@ -35,14 +35,15 @@ stages:
     pool:
       name: VSEng-Xamarin-RedmondMac-Android-Untrusted
       demands: macOS.Name -equals Monterey
-    timeoutInMinutes: 240
-    cancelTimeoutInMinutes: 5
+    timeoutInMinutes: 420
     workspace:
       clean: all
     variables:
       - group: Xamarin-Secrets
       - group: Xamarin Signing
       - group: xamops-azdev-secrets
+      - name: Codeql.Enabled
+        value: true
     steps:
     - checkout: self
       submodules: recursive
@@ -67,7 +68,6 @@ stages:
   - job: emulator_tests
     displayName: macOS > Tests > APKs (Emulator)
     timeoutInMinutes: 180
-    cancelTimeoutInMinutes: 2
     strategy:
       matrix:
         Android21-x86:
diff --git a/build-tools/automation/yaml-templates/commercial-build.yaml b/build-tools/automation/yaml-templates/commercial-build.yaml
@@ -41,6 +41,10 @@ steps:
   workingDirectory: ${{ parameters.xaSourcePath }}
   displayName: delete legacy xamarin-android submodule
 
+- task: CodeQL3000Init@0
+  displayName: CodeQL 3000 Init
+  condition: and(succeeded(), eq(variables['Codeql.Enabled'], 'true'), eq(variables['Build.SourceBranch'], 'refs/heads/main'))
+
 - script: make prepare-external-git-dependencies PREPARE_CI=1 CONFIGURATION=$(XA.Build.Configuration)
   workingDirectory: ${{ parameters.xaSourcePath }}
   displayName: make prepare-external-git-dependencies
@@ -50,6 +54,10 @@ steps:
   workingDirectory: ${{ parameters.xaSourcePath }}
   displayName: make jenkins
 
+- task: CodeQL3000Finalize@0
+  displayName: CodeQL 3000 Finalize
+  condition: and(succeededOrFailed(), eq(variables['Codeql.Enabled'], 'true'), eq(variables['Build.SourceBranch'], 'refs/heads/main'))
+
 # Build test assemblies
 - script: make all-tests CONFIGURATION=$(XA.Build.Configuration)
   workingDirectory: ${{ parameters.xaSourcePath }}
