Enable Codeql in Analyze job for Go pipelines (#20682)

* Enable CodeQL for scheduled builds only * Do this in Analyze instead * Adjust globals.yml scope and fix syntax * fix globals.yml scoping again * Update eng/pipelines/templates/jobs/archetype-sdk-client.yml Co-authored-by: Ben Broderick Phillips <[email protected]> --------- Co-authored-by: Ben Broderick Phillips <[email protected]>
Azure · Jun 21, 2023 · dc418a6 · dc418a6
1 parent 97c346e
commit dc418a6
Show file tree

Hide file tree

Showing 3 changed files with 14 additions and 3 deletions.
diff --git a/eng/pipelines/templates/jobs/archetype-go-release.yml b/eng/pipelines/templates/jobs/archetype-go-release.yml
@@ -5,6 +5,8 @@ parameters:
 
 stages:
   - stage: CheckRelease
+    variables:
+      - template: /eng/pipelines/templates/variables/globals.yml
     displayName: 'Check Release: ${{ parameters.ServiceDirectory }}'
     dependsOn: ${{ parameters.DependsOn }}
     condition: and(succeeded(), ne(variables['SetDevVersion'], 'true'), ne(variables['Skip.Release'], 'true'), ne(variables['Build.Repository.Name'], 'Azure/azure-sdk-for-go-pr'))
@@ -34,6 +36,8 @@ stages:
             env:
               GH_TOKEN: $(azuresdk-github-pat)
   - stage: Release
+    variables:
+      - template: /eng/pipelines/templates/variables/globals.yml
     displayName: 'Release: ${{ parameters.ServiceDirectory }}'
     dependsOn: CheckRelease
     condition: and(succeeded(), eq(dependencies.CheckRelease.outputs['CheckReleaseJob.Verify.NeedToRelease'], 'true'))

diff --git a/eng/pipelines/templates/jobs/archetype-sdk-client.yml b/eng/pipelines/templates/jobs/archetype-sdk-client.yml
@@ -78,11 +78,11 @@ parameters:
 
 stages:
   - stage: Build
+    variables:
+      - template: /eng/pipelines/templates/variables/globals.yml
     jobs:
     - job: Test
       displayName: Build and Test on
-      variables:
-        - template: /eng/pipelines/templates/variables/globals.yml
       strategy:
         matrix:
           ${{ if eq(parameters.ExcludeGoNMinus2, false) }}:
@@ -145,7 +145,9 @@ stages:
     - job: Analyze
       displayName: Analyze
       variables:
-        - template: /eng/pipelines/templates/variables/globals.yml
+          Codeql.Enabled: true
+          Codeql.BuildIdentifier: ${{ parameters.ServiceDirectory }}
+          Codeql.SkipTaskAutoInjection: false
       pool:
         name: azsdk-pool-mms-ubuntu-2004-general
 
@@ -173,6 +175,8 @@ stages:
       - ${{ if or(contains(parameters.Clouds, cloud.key), and(contains(variables['Build.DefinitionName'], 'weekly'), contains(parameters.SupportedClouds, cloud.key))) }}:
         - ${{ if not(contains(parameters.UnsupportedClouds, cloud.key)) }}:
           - stage: ${{ cloud.key }}
+            variables:
+            - template: /eng/pipelines/templates/variables/globals.yml
             displayName: Live Test ${{ cloud.key }}
             dependsOn: []
             jobs:

diff --git a/eng/pipelines/templates/variables/globals.yml b/eng/pipelines/templates/variables/globals.yml
@@ -5,3 +5,6 @@ variables:
   # https://docs.opensource.microsoft.com/tools/cg/index.html
   # https://github.com/microsoft/component-detection/blob/main/src/Microsoft.ComponentDetection.Detectors/go/GoComponentDetector.cs
   EnableGoCliScan: true
+
+  # Disable CodeQL injections except for where we specifically enable it
+  Codeql.SkipTaskAutoInjection: true