From 3f153f4de19005ff35990d85af9c39137015fa47 Mon Sep 17 00:00:00 2001
From: Peter Collins <pecolli@microsoft.com>
Date: Mon, 15 Jul 2024 16:06:06 -0400
Subject: [PATCH] [ci] Disable CodeQL on macOS, Linux, non-main jobs (#9111)

Attempt to save some build time on macOS and Linux by disabling CodeQL.
This step will still run during the Windows build job in CI, as well as
the macOS nightly build job.

An explicit branch check has also been added to ensure CodeQL only runs
against the main branch.
---
 build-tools/automation/azure-pipelines.yaml            | 5 ++++-
 build-tools/automation/yaml-templates/build-linux.yaml | 5 +++++
 build-tools/automation/yaml-templates/build-macos.yaml | 5 +++++
 3 files changed, 14 insertions(+), 1 deletion(-)

diff --git a/build-tools/automation/azure-pipelines.yaml b/build-tools/automation/azure-pipelines.yaml
index 6d4382099f7..86f3ca76bd4 100644
--- a/build-tools/automation/azure-pipelines.yaml
+++ b/build-tools/automation/azure-pipelines.yaml
@@ -74,7 +74,10 @@ extends:
       binskim:
         scanOutputDirectoryOnly: true
       codeql:
-        runSourceLanguagesInSourceAnalysis: true
+        ${{ if ne(variables['Build.SourceBranch'], 'refs/heads/main') }}:
+          compiled:
+            enabled: false
+            justificationForDisabling: CodeQL disabled for non-main branch builds
       policheck:
         enabled: false
         justification: Built in task does not support multi-language scanning
diff --git a/build-tools/automation/yaml-templates/build-linux.yaml b/build-tools/automation/yaml-templates/build-linux.yaml
index f34a25ba776..796b5fe5df0 100644
--- a/build-tools/automation/yaml-templates/build-linux.yaml
+++ b/build-tools/automation/yaml-templates/build-linux.yaml
@@ -35,6 +35,11 @@ stages:
       CC: gcc-10
     ${{ if eq(parameters.use1ESTemplate, true) }}:
       templateContext:
+        sdl:
+          codeql:
+            compiled:
+              enabled: false
+              justificationForDisabling: CodeQL runs against the Windows build and nightly macOS build
         outputs:
         - output: pipelineArtifact
           displayName: upload linux sdk
diff --git a/build-tools/automation/yaml-templates/build-macos.yaml b/build-tools/automation/yaml-templates/build-macos.yaml
index 804379f39dc..79213c63553 100644
--- a/build-tools/automation/yaml-templates/build-macos.yaml
+++ b/build-tools/automation/yaml-templates/build-macos.yaml
@@ -41,6 +41,11 @@ stages:
       clean: all
     ${{ if eq(parameters.use1ESTemplate, true) }}:
       templateContext:
+        sdl:
+          codeql:
+            compiled:
+              enabled: false
+              justificationForDisabling: CodeQL runs against the Windows build and nightly macOS build
         outputParentDirectory: ${{ parameters.xaSourcePath }}/bin
         outputs:
         - output: pipelineArtifact