Log more details for the codeql flow

microsoft · Nov 14, 2024 · 4e5e9a3 · 4e5e9a3
1 parent 41083d4
commit 4e5e9a3
Showing 1 changed file with 41 additions and 4 deletions.
diff --git a/.pipelines/build.yaml b/.pipelines/build.yaml
@@ -9,8 +9,17 @@ jobs:
       - group: moc-build
       - name: GO111MODULE
         value: "on"
+      - name: GDN_VERSION
+        value: '0.110.0-linux'
+      - name: GDNP_VERSION
+        value: '1.61.0-linux'
+      - name: LGTM.UploadSnapshot
+        value: true
 
     steps:
+      - checkout: self
+        fetchTags: true
+        fetchDepth: 0
       - task: GoTool@0
         inputs:
           version: "1.22.5"
@@ -19,11 +28,36 @@ jobs:
           knownHostsEntry: "$(KNOWN_HOST)"
           sshPublicKey: "$(SSH_PUBLIC_KEY)"
           sshKeySecureFile: "azure-pipelines-ssh-key-new"
-      - script: |
-          git config --global url.ssh://git@github.com/.insteadOf https://github.com/
-          git config --global url."msazure@vs-ssh.visualstudio.com:v3".insteadOf https://msazure.visualstudio.com
-        displayName: "Set up the Go workspace"
 
+      - task: AzureCLI@2
+        inputs:
+          azureSubscription: 'kva-azuredevops-gcm'
+          scriptType: 'bash'
+          scriptLocation: 'inlineScript'
+          inlineScript: |
+
+            # Note that the resource is specified to limit the token to Azure DevOps
+            aadToken=$(az account get-access-token --query accessToken --resource 499b84ac-1321-427f-aa17-267ca6975798 -o tsv)
+    
+            # uncomment these for more debugging spew
+            # GIT_TRACE=1
+            # GIT_CURL_VERBOSE=1
+
+            git config --global http.extraheader "AUTHORIZATION: bearer $aadToken"
+            git config --global url."ssh://git@github.com/".insteadOf "https://github.com/"
+          displayName: 'Set git config'
+
+      - task: CodeQL3000Init@0
+        inputs:
+          ${{ if or(eq(variables['Build.SourceBranch'], 'refs/heads/master'), startsWith(variables['Build.SourceBranch'], 'refs/pull/')) }}:
+            Enabled: true # Enables CodeQL on the main branch and on PR branches
+          ${{ else }}:
+            Enabled: false
+          ${{ if startsWith(variables['Build.SourceBranch'], 'refs/pull/') }}:
+            AnalyzeInPipeline: true # Local analysis is only enabled on PR branches
+          Language: go
+
+
       - script: |
           # Static binary workaround for CodeQL and Go 1.21 and higher
           # https://eng.ms/docs/cloud-ai-platform/devdiv/one-engineering-system-1es/1es-docs/codeql/troubleshooting/onboarding/language-compiled
@@ -44,6 +78,9 @@ jobs:
         timeoutInMinutes: 120
         displayName: "Build"
 
+      - task: CodeQL3000Finalize@0
+        condition: always()
+
       - task: AzureArtifacts.manifest-generator-task.manifest-generator-task.ManifestGeneratorTask@0
         displayName: "SBOM Generation"
         inputs: