[release/v7.6] Refactor analyze job to reusable workflow and enable on Windows CI #26494
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…owerShell#26322) Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: TravisEz13 <10873629+TravisEz13@users.noreply.github.com>
Contributor
There was a problem hiding this comment.
Pull Request Overview
This PR refactors the CodeQL security analysis infrastructure by extracting the analyze job into a reusable workflow and enabling it on Windows CI. The changes position the release/v7.6 branch to use this new pattern when CodeQL analysis is re-enabled.
- Adds a
Configurationparameter toInvoke-CIBuildwith a default of'Release'to support different build configurations including'StaticAnalysis'for CodeQL - Creates a new reusable workflow
analyze-reusable.ymlthat can be shared across Linux and Windows CI pipelines - Updates both Linux and Windows CI workflows to use the new reusable analyze workflow
Reviewed Changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
| tools/ci.psm1 | Adds optional Configuration parameter to Invoke-CIBuild with default 'Release' to maintain backward compatibility while supporting 'StaticAnalysis' for CodeQL |
| .github/workflows/analyze-reusable.yml | New reusable workflow for CodeQL analysis that can be called from multiple CI pipelines with platform-specific runner configuration |
| .github/workflows/linux-ci.yml | Replaces commented-out inline analyze job with call to new reusable workflow |
| .github/workflows/windows-ci.yml | Adds CodeQL analysis job using the reusable workflow and includes it in the ready-to-merge gate |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
SeeminglyScience
approved these changes
Nov 20, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Backport of #26322 to release/v7.6
Triggered by @TravisEz13 on behalf of @copilot-swe-agent
Original CL Label: CL-Tools
/cc @PowerShell/powershell-maintainers
Impact
REQUIRED: Choose either Tooling Impact or Customer Impact (or both). At least one checkbox must be selected.
Tooling Impact
This is a CI/CD infrastructure change that refactors the CodeQL analysis job into a reusable workflow pattern and enables it on Windows CI. While the analyze job is currently disabled in v7.6, this backport ensures the infrastructure is ready when CodeQL analysis is re-enabled. It also adds Windows security scanning capability.
Customer Impact
Regression
REQUIRED: Check exactly one box.
This is not a regression.
Testing
Verified by cherry-picking to release/v7.6 branch. The new reusable workflow follows the same pattern as the original inline analyze job. Changes to tools/ci.psm1 add a Configuration parameter with default 'Release' to maintain backward compatibility. The backport includes the complete refactoring: creation of analyze-reusable.yml, refactoring of linux-ci.yml to use the reusable workflow, and addition of analyze job to windows-ci.yml.
Risk
REQUIRED: Check exactly one box.
Medium risk: This refactors CI infrastructure by extracting the CodeQL analyze job into a reusable workflow and extends it to Windows CI. While it changes workflow structure, it maintains the same CodeQL analysis behavior. The analyze job is currently commented out in v7.6 due to .NET SDK compatibility, so this backport positions the branch to use the new pattern when analysis is re-enabled. The tools/ci.psm1 change adds an optional parameter with safe defaults.
Merge Conflicts
The file .github/workflows/linux-ci.yml had a conflict during cherry-pick.
Conflict Type: Code replacement - inline job vs reusable workflow
Cause: The release/v7.6 branch has the analyze job commented out (temporarily disabled due to .NET SDK 10-rc.2 compatibility issues), while the PR wants to replace it with a call to the new reusable workflow.
Resolution: Removed the commented-out analyze job (approximately 58 lines) and replaced it with the new reusable workflow call from the PR (11 lines). This maintains the refactoring intent - when CodeQL analysis is re-enabled in v7.6, it will use the new reusable workflow pattern.
Manual Changes: None - applied the incoming change exactly as intended in the original PR, preserving the workflow structure and permissions.