[build] Enable CodeQL with TSA (#76751)

* [SDL] Enable CodeQL in separate pipeline  with TSA

* Address feedback

* Move CodeQL manual tasks

* [build] Move internal variables to template

* Guard Manual CodeQL tasks with isSourceBuild

.config/tsaoptions.json

+{
+    "instanceUrl": "https://devdiv.visualstudio.com/",
+    "template": "TFSDEVDIV",
+    "projectName": "DEVDIV",
+    "areaPath": "DevDiv\\NET Libraries",
+    "iterationPath": "DevDiv",
+    "notificationAliases": [ "runtimerepo-infra@microsoft.com" ],
+    "repositoryName": "Runtime",
+    "codebaseName": "Runtime"
+}
\ No newline at end of file

eng/common/templates/job/job.yml

@@ -227,4 +227,3 @@ jobs:
         PackageVersion: ${{ parameters.packageVersion}}
         BuildDropPath: ${{ parameters.buildDropPath }}
         IgnoreDirectories: ${{ parameters.componentGovernanceIgnoreDirectories }}
-

eng/pipelines/common/global-build-job.yml

@@ -32,6 +32,7 @@ parameters:
   enableRichCodeNavigation: false
   richCodeNavigationLanguage: 'csharp'
   richCodeNavigationEnvironment: 'production'
+  isManualCodeQLBuild: false
 
 jobs:
 - template: /eng/common/templates/job/job.yml
@@ -162,13 +163,23 @@ jobs:
         inputs:
           filePath: $(Build.SourcesDirectory)/eng/pipelines/mono/update-machine-certs.ps1
 
+
     # Build
     - ${{ if eq(parameters.isSourceBuild, false) }}:
+      - ${{ if eq(parameters.isManualCodeQLBuild, true) }}:
+        - task: CodeQL3000Init@0
+          displayName: Initialize CodeQL (manually-injected)
+
       - script: $(_sclEnableCommand) $(Build.SourcesDirectory)$(dir)build$(scriptExt) -ci -arch ${{ parameters.archType }} $(_osParameter) ${{ parameters.buildArgs }} $(_officialBuildParameter) $(_crossBuildPropertyArg) $(_cxx11Parameter) $(_richCodeNavigationParam) $(_buildDarwinFrameworksParameter) $(_overrideTestScriptWindowsCmdParameter)
         displayName: Build product
         ${{ if eq(parameters.useContinueOnErrorDuringBuild, true) }}:
           continueOnError: ${{ parameters.shouldContinueOnError }}
 
+      - ${{ if eq(parameters.isManualCodeQLBuild, true) }}:
+        - task: CodeQL3000Finalize@0
+          displayName: Finalize CodeQL (manually-injected)
+    #endif isSourceBuild
+
     - ${{ if in(parameters.osGroup, 'OSX', 'iOS', 'tvOS', 'Android') }}:
       - script: |
           du -sh $(Build.SourcesDirectory)/*

eng/pipelines/common/internal-variables.yml

+parameters:
+  teamName: ''
+
+variables:
+  - name: TeamName
+    value: ${{ parameters.teamName }}
+  - name: PostBuildSign
+    value: true

eng/pipelines/runtime-codeql.yml

+trigger:
+  none
+
+schedules:
+  - cron: 0 12 * * 1
+    displayName: Weekly Monday CodeQL/Semmle run
+    branches:
+      include:
+      - main
+    always: true
+
+variables:
+  - template: /eng/pipelines/common/variables.yml
+  - name: Codeql.Enabled
+    value: True
+  - name: Codeql.Cadence
+    value: 0
+  - name: Codeql.TSAEnabled
+    value: True
+  - name: Codeql.BuildIdentifier
+    value: $(System.JobDisplayName)
+  - name: Codeql.Language
+    value: cpp,csharp,java,python
+
+extends:
+  template:  /eng/pipelines/common/templates/pipeline-with-resources.yml
+  parameters:
+    stages:
+    - stage: Build
+      jobs:
+
+      #
+      # Build CoreCLR runtime packs
+      #
+      - template: /eng/pipelines/common/platform-matrix.yml
+        parameters:
+          jobTemplate: /eng/pipelines/common/global-build-job.yml
+          buildConfig: release
+          platforms:
+          - Linux_x64
+          - windows_x64
+          jobParameters:
+            buildArgs: -s clr+libs+host+packs -c $(_BuildConfig)
+            nameSuffix: AllSubsets_CoreCLR
+            isOfficialBuild: ${{ variables.isOfficialBuild }}
+            timeoutInMinutes: 360
+            isManualCodeQLBuild: true
+
+      #
+      # Build Mono runtime packs
+      #
+      - template: /eng/pipelines/common/platform-matrix.yml
+        parameters:
+          jobTemplate: /eng/pipelines/common/global-build-job.yml
+          buildConfig: release
+          runtimeFlavor: mono
+          platforms:
+          - Linux_x64
+          - windows_x64
+          jobParameters:
+            buildArgs: -s mono+libs+host+packs+mono.mscordbi -c $(_BuildConfig)
+            nameSuffix: AllSubsets_Mono
+            isOfficialBuild: ${{ variables.isOfficialBuild }}
+            timeoutInMinutes: 360
+            isManualCodeQLBuild: true

eng/pipelines/runtime-official.yml

@@ -24,11 +24,9 @@ pr: none
 
 variables:
 - template: /eng/pipelines/common/variables.yml
-# TODO: (Consolidation) Switch away from old signing/validation variables from former Core-Setup. https://github.com/dotnet/runtime/issues/1027
-- name: TeamName
-  value: dotnet-core-acquisition
-- name: PostBuildSign
-  value: true
+- template: /eng/pipelines/common/internal-variables.yml
+  parameters:
+    teamName: dotnet-core-acquisition
 
 extends:
   template:  /eng/pipelines/common/templates/pipeline-with-resources.yml