From a7296d4d7040778aa04a1d2dfaeccc286d155057 Mon Sep 17 00:00:00 2001
From: Andy Voltz <anvoltz@microsoft.com>
Date: Wed, 13 Mar 2024 18:27:45 +0000
Subject: [PATCH 1/4] pipelines: add a codeql build job

---
 pipelines/OneBranch.body.yml | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/pipelines/OneBranch.body.yml b/pipelines/OneBranch.body.yml
index 5a8f4356c..b4475735e 100644
--- a/pipelines/OneBranch.body.yml
+++ b/pipelines/OneBranch.body.yml
@@ -69,6 +69,23 @@ stages:
       TOOLCHAIN_IMAGE: $[ stageDependencies.setup.Setup.outputs['setupEnvironment.TOOLCHAIN_IMAGE'] ]
       pipelineBuildTag: $[ stageDependencies.setup.Setup.outputs['setupEnvironment.VERSION_TAG'] ]
     jobs:
+    - job: build_for_codeql
+      timeoutInMinutes: 30
+      displayName: Build for codeql analysis
+      pool:
+        type: linux
+      variables:
+        ob_outputDirectory: "$(Build.ArtifactStagingDirectory)/out"
+      steps:
+        - task: CodeQL3000Init@0
+          displayName: CodeQL initialize
+        - bash: |
+            make
+          displayName: Run make
+          name: makeCsi
+        - task: CodeQL3000Finalize@0
+          displayName: CodeQL finalize
+
     - ${{ each arch in parameters.architectures }}:
       - job: build_csi_container_${{ arch }}
         timeoutInMinutes: 60

From 2c3753f72a2859a97f4cc8bc29ec324b812fa7d2 Mon Sep 17 00:00:00 2001
From: Andy Voltz <anvoltz@microsoft.com>
Date: Thu, 14 Mar 2024 19:31:33 +0000
Subject: [PATCH 2/4] pipelines: allow ForceCodeQL var to force builds,
 otherwise run on staging only

---
 pipelines/OneBranch.body.yml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/pipelines/OneBranch.body.yml b/pipelines/OneBranch.body.yml
index b4475735e..0df7b2d7d 100644
--- a/pipelines/OneBranch.body.yml
+++ b/pipelines/OneBranch.body.yml
@@ -72,6 +72,10 @@ stages:
     - job: build_for_codeql
       timeoutInMinutes: 30
       displayName: Build for codeql analysis
+      condition: or(
+        eq(variables['Build.SourceBranch'], 'refs/heads/staging'),
+        ne(variables['ForceCodeQL'], '')
+        )
       pool:
         type: linux
       variables:

From d8a286d1a327f2b6a25ced41871d4c7db4d99ca4 Mon Sep 17 00:00:00 2001
From: Andy Voltz <anvoltz@microsoft.com>
Date: Thu, 14 Mar 2024 19:59:29 +0000
Subject: [PATCH 3/4] pipelines: add workaround for go tracing

---
 pipelines/OneBranch.body.yml | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/pipelines/OneBranch.body.yml b/pipelines/OneBranch.body.yml
index 0df7b2d7d..85ba26fca 100644
--- a/pipelines/OneBranch.body.yml
+++ b/pipelines/OneBranch.body.yml
@@ -84,6 +84,20 @@ stages:
         - task: CodeQL3000Init@0
           displayName: CodeQL initialize
         - bash: |
+            set -ex
+            # Add a workaround to allow indirect tracing for the go code
+            # inspired by: https://github.com/github/codeql-action/pull/1909
+            #
+            WORKAROUND_DIR=$(mktemp -d)
+            WHICH_GO=$(which go)
+            cat > "${WORKAROUND_DIR}/go" <<EOF
+            #!/bin/bash
+            exec $WHICH_GO "\$@"
+            EOF
+
+            chmod 755 "${WORKAROUND_DIR}/go"
+            export PATH="${WORKAROUND_DIR}:${PATH}"
+
             make
           displayName: Run make
           name: makeCsi

From 9d1c3f8069fa5b160880bd6f6883c71861d50ffb Mon Sep 17 00:00:00 2001
From: Andy Voltz <anvoltz@microsoft.com>
Date: Thu, 14 Mar 2024 23:00:48 +0000
Subject: [PATCH 4/4] pipelines: add comment about go version

---
 pipelines/OneBranch.body.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/pipelines/OneBranch.body.yml b/pipelines/OneBranch.body.yml
index 85ba26fca..58e968506 100644
--- a/pipelines/OneBranch.body.yml
+++ b/pipelines/OneBranch.body.yml
@@ -89,6 +89,7 @@ stages:
             # inspired by: https://github.com/github/codeql-action/pull/1909
             #
             WORKAROUND_DIR=$(mktemp -d)
+            # We may need to use a task to pick the go version if this breaks
             WHICH_GO=$(which go)
             cat > "${WORKAROUND_DIR}/go" <<EOF
             #!/bin/bash