From a6cbaeeae53e0735aede55cfa55ff88dd349aa90 Mon Sep 17 00:00:00 2001
From: "Michael Hawker MSFT (XAML Llama)"
 <24302614+michael-hawker@users.noreply.github.com>
Date: Thu, 24 Aug 2023 12:53:48 -0700
Subject: [PATCH 1/3] Create codeql.yml file for custom build

Auto-build could not build our repository, so adding in steps from our build.yml to enable scanning with CodeQL
---
 .github/workflows/codeql.yml | 99 ++++++++++++++++++++++++++++++++++++
 1 file changed, 99 insertions(+)
 create mode 100644 .github/workflows/codeql.yml

diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
new file mode 100644
index 00000000..d1a733c4
--- /dev/null
+++ b/.github/workflows/codeql.yml
@@ -0,0 +1,99 @@
+
+name: "CodeQL Scan"
+
+on:
+  push:
+    branches: [ "main" ]
+  pull_request:
+    # The branches below must be a subset of the branches above
+    branches: [ "main" ]
+  schedule:
+    - cron: '28 19 * * 0'
+
+env:
+  DOTNET_VERSION: ${{ '7.0.100' }}
+  MULTI_TARGET_DIRECTORY: tooling/MultiTarget
+
+jobs:
+  analyze:
+    name: Analyze
+    # Runner size impacts CodeQL analysis time. To learn more, please see:
+    #   - https://gh.io/recommended-hardware-resources-for-running-codeql
+    #   - https://gh.io/supported-runners-and-hardware-resources
+    #   - https://gh.io/using-larger-runners
+    # Consider using larger runners for possible analysis time improvements.
+    runs-on: windows-latest
+    timeout-minutes: 360
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+
+    strategy:
+      fail-fast: false
+      matrix:
+        language: [ 'csharp' ]
+        # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby', 'swift' ]
+        # Use only 'java' to analyze code written in Java, Kotlin or both
+        # Use only 'javascript' to analyze code written in JavaScript, TypeScript or both
+        # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support
+
+    steps:
+    - name: Install .NET SDK v${{ env.DOTNET_VERSION }}
+      uses: actions/setup-dotnet@v3
+      with:
+        dotnet-version: ${{ env.DOTNET_VERSION }}
+
+    - name: .NET Info (if diagnostics)
+      run: dotnet --info
+
+    - name: Checkout repository
+      uses: actions/checkout@v3
+      with:
+        submodules: recursive
+
+    # Restore Tools from Manifest list in the Repository
+    - name: Restore dotnet tools
+      run: dotnet tool restore
+
+    - name: Run Uno Check to Install Dependencies
+      run: dotnet tool run uno-check --ci --fix --non-interactive --skip wsl --skip androidemulator --skip vswinworkloads --verbose
+
+    - name: Add msbuild to PATH
+      uses: microsoft/setup-msbuild@v1.3.1
+
+    - name: Enable all TargetFrameworks
+      working-directory: ./${{ env.MULTI_TARGET_DIRECTORY }}
+      run: ./UseTargetFrameworks.ps1 all -ErrorAction Stop
+
+    - name: Generate solution w/ All Tests
+      working-directory: ./
+      run: powershell -version 5.1 -command "./tooling/GenerateAllSolution.ps1 -IncludeHeads WinAppSdk -UseDiagnostics" -ErrorAction Stop
+
+    - name: Enable Uno.WinUI
+      working-directory: ./${{ env.MULTI_TARGET_DIRECTORY }}
+      run: ./UseUnoWinUI.ps1 3 -ErrorAction Stop
+
+    # Initializes the CodeQL tools for scanning.
+    - name: Initialize CodeQL
+      uses: github/codeql-action/init@v2
+      with:
+        languages: ${{ matrix.language }}
+        # If you wish to specify custom queries, you can do so here or in a config file.
+        # By default, queries listed here will override any specified in a config file.
+        # Prefix the list here with "+" to use these queries and those in the config file.
+
+        # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
+        # queries: security-extended,security-and-quality
+
+    - name: MSBuild
+      run: >
+        msbuild.exe /restore /nowarn:MSB4011
+        /p:Configuration=Release
+        /m
+        CommunityToolkit.AllComponents.sln
+
+    - name: Perform CodeQL Analysis
+      uses: github/codeql-action/analyze@v2
+      with:
+        category: "/language:${{matrix.language}}"

From 1986d537aaeb8a6c5a9cf122dd3dfc26b7af78b2 Mon Sep 17 00:00:00 2001
From: michael-hawker <24302614+michael-hawker@users.noreply.github.com>
Date: Fri, 25 Aug 2023 15:28:17 -0700
Subject: [PATCH 2/3] Add CodeQL Config file to enable additional queries for
 Security

Also go back to large runner as analysis ran out of memory before

Update CodeQL Config to Limit Scope

Don't run if only changes to markdown files, samples, or tests
Only analyze src files and not generated files .g.cs files
---
 .github/codeql/codeql-config.yml | 13 +++++++++++++
 .github/workflows/codeql.yml     | 10 ++++++++--
 2 files changed, 21 insertions(+), 2 deletions(-)
 create mode 100644 .github/codeql/codeql-config.yml

diff --git a/.github/codeql/codeql-config.yml b/.github/codeql/codeql-config.yml
new file mode 100644
index 00000000..b485ace7
--- /dev/null
+++ b/.github/codeql/codeql-config.yml
@@ -0,0 +1,13 @@
+name: "Security and Quality"
+
+queries:
+  - name: Queries from security-extended, plus maintainability and reliability queries
+    uses: security-and-quality
+  - name: Queries from the default suite, plus lower severity and precision queries
+    uses: security-extended
+
+paths:
+  - '**/src/**/*.cs'
+paths-ignore:
+  - '**/*.g.cs'
+  - '**/*.g.i.cs'
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index d1a733c4..fae24a27 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -7,6 +7,11 @@ on:
   pull_request:
     # The branches below must be a subset of the branches above
     branches: [ "main" ]
+    paths-ignore:
+      - '**/*.md'
+      - '**/*.txt'
+      - '**/samples/**/*'
+      - '**/tests/**/*'
   schedule:
     - cron: '28 19 * * 0'
 
@@ -22,7 +27,7 @@ jobs:
     #   - https://gh.io/supported-runners-and-hardware-resources
     #   - https://gh.io/using-larger-runners
     # Consider using larger runners for possible analysis time improvements.
-    runs-on: windows-latest
+    runs-on: windows-latest-large
     timeout-minutes: 360
     permissions:
       actions: read
@@ -79,12 +84,13 @@ jobs:
       uses: github/codeql-action/init@v2
       with:
         languages: ${{ matrix.language }}
+        config-file: ./.github/codeql/codeql-config.yml
         # If you wish to specify custom queries, you can do so here or in a config file.
         # By default, queries listed here will override any specified in a config file.
         # Prefix the list here with "+" to use these queries and those in the config file.
 
         # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
-        # queries: security-extended,security-and-quality
+        # queries: +security-extended,security-and-quality
 
     - name: MSBuild
       run: >

From 7b8a38f6833664c3271d3b023e309bc518427525 Mon Sep 17 00:00:00 2001
From: michael-hawker <24302614+michael-hawker@users.noreply.github.com>
Date: Thu, 24 Aug 2023 15:32:13 -0700
Subject: [PATCH 3/3] Update sub-module with clean-up and fix for WASM CodeQL
 warning

---
 tooling | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tooling b/tooling
index d8230e99..07a41191 160000
--- a/tooling
+++ b/tooling
@@ -1 +1 @@
-Subproject commit d8230e99d43c67f31b014583c769d5192832afed
+Subproject commit 07a41191e05fd208ef024a983264ed3a0aca20bb