dotnet · AndriySvyryd · Oct 28, 2024
diff --git a/azure-pipelines-public.yml b/azure-pipelines-public.yml
@@ -1,21 +1,3 @@
-schedules:
-- cron: 0 9 * * 1
-  displayName: "Run CodeQL3000 weekly, Monday at 2:00 AM PDT"
-  branches:
-    include:
-    - main
-  always: true
-
-parameters:
-# Parameter below is ignored in public builds.
-#
-# Choose whether to run the CodeQL3000 tasks.
-# Manual builds align w/ official builds unless this parameter is true.
-- name: runCodeQL3000
-  default: false
-  displayName: Run CodeQL3000 tasks
-  type: boolean
-
 variables:
   - name: _BuildConfig
     value: Release
@@ -35,8 +17,6 @@ variables:
   - ${{ if eq(variables['System.TeamProject'], 'public') }}:
     - name: _InternalRuntimeDownloadArgs
       value: ''
-  - name: runCodeQL3000
-    value: ${{ and(ne(variables['System.TeamProject'], 'public'), or(eq(variables['Build.Reason'], 'Schedule'), and(eq(variables['Build.Reason'], 'Manual'), eq(parameters.runCodeQL3000, 'true')))) }}
   - template: /eng/common/templates/variables/pool-providers.yml
 
 trigger:
@@ -55,10 +35,10 @@ stages:
   jobs:
     - template: eng/common/templates/jobs/jobs.yml
       parameters:
-        enableMicrobuild: ${{ ne(variables.runCodeQL3000, 'true') }}
+        enableMicrobuild: true
         enablePublishBuildArtifacts: true
-        enablePublishBuildAssets: ${{ ne(variables.runCodeQL3000, 'true') }}
-        enablePublishTestResults: ${{ ne(variables.runCodeQL3000, 'true') }}
+        enablePublishBuildAssets: true
+        enablePublishTestResults: true
         enablePublishUsingPipelines: ${{ variables._PublishUsingPipelines }}
         enableTelemetry: true
         helixRepo: dotnet/ef6
@@ -71,14 +51,7 @@ stages:
               ${{ if ne(variables['System.TeamProject'], 'public') }}:
                 name: $(DncEngInternalBuildPool)
                 demands: ImageOverride -equals 1es-windows-2019
-            ${{ if eq(variables.runCodeQL3000, 'true') }}:
-              # Component governance and SBOM creation are not needed here. Disable what Arcade would inject.
-              disableComponentGovernance: true
-              enableSbom: false
-              # CodeQL3000 extends build duration.
-              timeoutInMinutes: 240
-            ${{ else }}:
-              timeoutInMinutes: 180
+            timeoutInMinutes: 180
             variables:
               - _AdditionalBuildArgs: ''
               - _InternalBuildArgs: ''
@@ -89,20 +62,6 @@ stages:
                                       /p:OfficialBuildId=$(BUILD.BUILDNUMBER)
                                       /p:DotNetPublishUsingPipelines=$(_PublishUsingPipelines)
                                       /p:DotNetArtifactsCategory=$(_DotNetArtifactsCategory)
-              - ${{ if eq(variables.runCodeQL3000, 'true') }}:
-                - _AdditionalBuildArgs: /p:Test=false /p:Sign=false /p:Pack=false /p:Publish=false /p:UseSharedCompilation=false
-                # Security analysis is included in normal runs. Disable its auto-injection.
-                - skipNugetSecurityAnalysis: true
-                # Do not let CodeQL3000 Extension gate scan frequency.
-                - Codeql.Cadence: 0
-                # Enable CodeQL3000 unconditionally so it may be run on any branch.
-                - Codeql.Enabled: true
-                # Ignore test and infrastructure code.
-                - Codeql.SourceRoot: src
-                # CodeQL3000 needs this plumbed along as a variable to enable TSA.
-                - Codeql.TSAEnabled: ${{ eq(variables['Build.Reason'], 'Schedule') }}
-                # Default expects tsaoptions.json under SourceRoot.
-                - Codeql.TSAOptionsPath: '$(Build.SourcesDirectory)/.config/tsaoptions.json'
             steps:
               - checkout: self
                 clean: true
@@ -128,38 +87,28 @@ stages:
                     arguments: -ConfigFile $(Build.SourcesDirectory)/NuGet.config -Password $Env:Token
                   env:
                     Token: $(dn-bot-dnceng-artifact-feeds-rw)
-              - ${{ if eq(variables.runCodeQL3000, 'true') }}:
-                - task: CodeQL3000Init@0
-                  displayName: CodeQL Initialize
-                - script: "echo ##vso[build.addbuildtag]CodeQL3000"
-                  displayName: 'Set CI CodeQL3000 tag'
-                  condition: ne(variables.CODEQL_DIST,'')
               - script: eng\common\cibuild.cmd -configuration $(_BuildConfig) -prepareMachine $(_InternalBuildArgs)
                   $(_InternalRuntimeDownloadArgs) $(_AdditionalBuildArgs)
                 name: Build
-              - ${{ if eq(variables.runCodeQL3000, 'true') }}:
-                - task: CodeQL3000Finalize@0
-                  displayName: CodeQL Finalize
-              - ${{ else }}:
-                - task: PublishBuildArtifacts@1
-                  displayName: Upload TestResults
-                  condition: always()
-                  continueOnError: true
-                  inputs:
-                    pathtoPublish: artifacts/TestResults/$(_BuildConfig)/
-                    artifactName: $(Agent.Os)_$(Agent.JobName) TestResults
-                    artifactType: Container
-                    parallel: true
-                - task: PublishBuildArtifacts@1
-                  displayName: Upload artifacts
-                  condition: and(succeeded(), eq(variables['system.pullrequest.isfork'], false))
-                  inputs:
-                    pathtoPublish: 'artifacts/packages/'
-                    artifactName: packages
-                    artifactType: Container
-                    parallel: true
+              - task: PublishBuildArtifacts@1
+                displayName: Upload TestResults
+                condition: always()
+                continueOnError: true
+                inputs:
+                  pathtoPublish: artifacts/TestResults/$(_BuildConfig)/
+                  artifactName: $(Agent.Os)_$(Agent.JobName) TestResults
+                  artifactType: Container
+                  parallel: true
+              - task: PublishBuildArtifacts@1
+                displayName: Upload artifacts
+                condition: and(succeeded(), eq(variables['system.pullrequest.isfork'], false))
+                inputs:
+                  pathtoPublish: 'artifacts/packages/'
+                  artifactName: packages
+                  artifactType: Container
+                  parallel: true
 
-- ${{ if and(ne(variables['System.TeamProject'], 'public'), notin(variables['Build.Reason'], 'PullRequest'), ne(variables.runCodeQL3000, 'true')) }}:
+- ${{ if and(ne(variables['System.TeamProject'], 'public'), notin(variables['Build.Reason'], 'PullRequest')) }}:
   - template: eng\common\templates\post-build\post-build.yml
     parameters:
       # Symbol validation isn't being very reliable lately. This should be enabled back

diff --git a/azure-pipelines.yml b/azure-pipelines.yml
@@ -32,6 +32,7 @@ extends:
   parameters:
     featureFlags:
       autoBaseline: false
+      usePrefastVersion3: true
     sdl:
       sourceAnalysisPool:
         name: $(DncEngInternalBuildPool)
@@ -41,6 +42,7 @@ extends:
         baselineFile: $(Build.SourcesDirectory)\.config\guardian\.gdnbaselines
       binskim:
         scanOutputDirectoryOnly: true
+        preReleaseVersion: '4.3.1'
       policheck:
         enabled: true
       tsa: