CodeQL is a static analysis tool that is able to scan source code to help detect security vulnerabilities. In mono/mono.posix, there already exists auto-injection of CodeQL's init and finalize tasks within the official default pipeline.
We enable CodeQL directly on the main pipeline as there are relatively few jobs, and because commits are relatively infrequent, there is no need for a separate pipeline to specify a cadence (periods between commits and therefore pipeline builds can be over a weeklong, so if there is no change, there is no need for a new codeql scan)
This PR does the following:
Enables CodeQL
Enable TSA with CodeQL
It doesn't reference the vulnerable Newtonsoft.Json that gets flagged by Component Governance.
Also fix the `test` stage dependency so it only runs if `build_artifacts` succeeds.
We never actually used the MACOS_MIN_VERSION variable anywhere so it was defaulting to the version of the macOS build host.
The macos-10.15 Azure DevOps image is getting deprecated so bump to macos-12 and fix the build so it still compiles with a min version of 10.15
The configure checks need -Werror=unguarded-availability otherwise they'll erreanously detect presence of symbols
Rebuilding the managed code on Windows causes it to want to use
`msvcrt` instead of `c` when resolving `libc` p/invokes, which
will cause the libc calls to fail on Unix.
Download and extract the `Managed` artifact on packaging time, so
that the assemblies built on Unix are properly packaged and not
rebuilt.
Alexander Köplinger
Mitchell Hwang
Jon Fortescue
Marek Habersack