Fix CodeQL pipeline to build all code without publishing#16135
Fix CodeQL pipeline to build all code without publishing#16135joperezr merged 1 commit intomicrosoft:mainfrom
Conversation
|
🚀 Dogfood this PR with:
curl -fsSL https://raw.githubusercontent.com/microsoft/aspire/main/eng/scripts/get-aspire-cli-pr.sh | bash -s -- 16135Or
iex "& { $(irm https://raw.githubusercontent.com/microsoft/aspire/main/eng/scripts/get-aspire-cli-pr.ps1) } 16135" |
There was a problem hiding this comment.
Pull request overview
Fixes the Azure DevOps CodeQL pipeline so it successfully compiles the full repo (including the VS Code extension) without triggering publishing/validation steps, enabling CodeQL analysis to run reliably on targeted branches.
Changes:
- Narrow scheduled CodeQL runs to
mainandrelease/13.2. - Install Node.js + yarn +
vsceto enable building the VS Code extension during the CodeQL build. - Replace
cibuild.cmdinvocation withbuild.cmd -restore -buildplus MSBuild properties to build the extension and skip native build.
| - script: build.cmd | ||
| -restore -build | ||
| -configuration $(_BuildConfig) | ||
| -prepareMachine | ||
| /p:Test=false | ||
| displayName: Windows Build | ||
| -ci | ||
| /p:BuildExtension=true | ||
| /p:SkipNativeBuild=true |
There was a problem hiding this comment.
The script step is currently split across multiple YAML lines with the arguments indented less than the script: value, so Azure Pipelines will not treat them as part of the same command. As written, this is likely parsed as either invalid YAML or as separate step keys/sequence items, and build.cmd will run without the intended arguments (or -restore will be executed as a separate command). Please format this like other pipelines in the repo (indent args to align under the script value) or use script: |/script: > so build.cmd receives -restore -build -configuration ... in the same invocation.
|
Do we have a validation run for the pipeline? |
It's currently running. |
joperezr
force-pushed
the
fix-codeql-pipeline
branch
from
6680b31 to
9c6074f
Compare
The CodeQL pipeline (definition 1599) has been failing on main for weeks due to two issues: 1. cibuild.cmd hardwires -publish, which triggers VSIX validation in Publishing.props expecting a .vsix file that was never built (BuildExtension defaults to false). 2. Stale release/* branches with unavailable SDK versions. Fix by: - Using build.cmd with explicit -restore -build flags only (no -test, -sign, -pack, or -publish) so all code is compiled for CodeQL analysis without publishing artifacts. - Adding /p:BuildExtension=true and Node.js/yarn/vsce prerequisites so the VS Code extension is included in the analysis. - Adding /p:SkipNativeBuild=true to skip slow native AOT CLI builds that aren't useful for CodeQL C#/TS analysis. - Narrowing scheduled branches to main and release/13.2 only. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
joperezr
force-pushed
the
fix-codeql-pipeline
branch
from
9c6074f to
872eb31
Compare
Summary
The CodeQL pipeline (definition 1599) has been failing on \main\ for several weeks. This PR fixes it.
Root Causes
VSIX validation error (April 6 & 13): \cibuild.cmd\ hardwires -publish, which triggers publish validation in \Publishing.props\ that expects exactly 1 .vsix\ file. Since \BuildExtension\ defaults to \ alse, no VSIX was ever built.
SDK resolution error (March 16–30): Stale
elease/*\ branches referenced unavailable SDK versions.
Changes
elease/13.2\ only (other release branches are stale).