From 9bdd50f5713d1e0d8915cef5173951e8683f5e45 Mon Sep 17 00:00:00 2001
From: Hao Liu <liuhao3418@gmail.com>
Date: Wed, 3 Jun 2026 14:53:19 +0800
Subject: [PATCH 1/7] SFI: enable CodeQL in CI

---
 .pipelines/ci.yml | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/.pipelines/ci.yml b/.pipelines/ci.yml
index 42622473..f1ce289a 100644
--- a/.pipelines/ci.yml
+++ b/.pipelines/ci.yml
@@ -38,6 +38,11 @@ extends:
         name: Azure-Pipelines-1ESPT-ExDShared
         image: windows-latest
         os: windows
+      codeql:
+        compiled:
+          enabled: true
+        buildIdentifier: 'Build_$(System.JobAttempt)'
+        runSourceLanguagesInSourceAnalysis: true
     stages:
     - stage: Build
       jobs:

From f7b8ce9ace7d353627b3070ff90f796626856d89 Mon Sep 17 00:00:00 2001
From: Hao Liu <liuhao3418@gmail.com>
Date: Wed, 3 Jun 2026 15:26:59 +0800
Subject: [PATCH 2/7] SFI: disable EmitCompilerGeneratedFiles to fix CS0016
 under CodeQL3000

---
 AIDevGallery/AIDevGallery.csproj | 1 +
 1 file changed, 1 insertion(+)

diff --git a/AIDevGallery/AIDevGallery.csproj b/AIDevGallery/AIDevGallery.csproj
index e9b619ac..249498f3 100644
--- a/AIDevGallery/AIDevGallery.csproj
+++ b/AIDevGallery/AIDevGallery.csproj
@@ -20,6 +20,7 @@
     <!-- TODO: Fix IDisposableAnalyzers warnings from Microsoft.AI.Foundry.Local.WinML transitive dependency in next PR -->
     <NoWarn>$(NoWarn);IDISP001;IDISP002;IDISP003;IDISP004;IDISP006;IDISP007;IDISP008;IDISP017;IDISP025</NoWarn>
     <IsAotCompatible>true</IsAotCompatible>
+    <EmitCompilerGeneratedFiles>false</EmitCompilerGeneratedFiles>
     <TrimmerRootDescriptor>SamplesRoots.xml</TrimmerRootDescriptor>
     <!-- The *first* DefineConstants is removed during Official Release Builds (.pipelines/Unstub.ps1)-->
     <DefineConstants>TELEMETRYEVENTSOURCE_PUBLIC</DefineConstants>

From f6e88b52cf186b6275f556450ba9983a69cedd4f Mon Sep 17 00:00:00 2001
From: Hao Liu <liuhao3418@gmail.com>
Date: Wed, 3 Jun 2026 15:59:51 +0800
Subject: [PATCH 3/7] SFI: explicitly invoke CodeQL3000 Init/Finalize around
 build to emit C# DB

---
 .pipelines/templates/build.yaml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/.pipelines/templates/build.yaml b/.pipelines/templates/build.yaml
index f64cff9c..bcefd2d4 100644
--- a/.pipelines/templates/build.yaml
+++ b/.pipelines/templates/build.yaml
@@ -15,10 +15,14 @@ steps:
   displayName: Update Package Manifest Version
 - script: dotnet restore AIDevGallery.sln -r win-${{ parameters.dotnet_platform }} /p:Configuration=${{ parameters.dotnet_configuration }} /p:Platform=${{ parameters.dotnet_platform }} /p:PublishReadyToRun=true /p:SelfContainedIfPreviewWASDK=true
   displayName: Restore dependencies - ${{ parameters.dotnet_platform }}
+- task: CodeQL3000Init@0
+  displayName: 'CodeQL Initialize'
 - script: |
     dotnet build AIDevGallery.Utils --no-restore /p:Configuration=Release
     dotnet build AIDevGallery --no-restore -r win-${{ parameters.dotnet_platform }} -f net9.0-windows10.0.26100.0 /p:Configuration=${{ parameters.dotnet_configuration }} /p:Platform=${{ parameters.dotnet_platform }} /p:AppxPackageDir="AppPackages/" /p:UapAppxPackageBuildMode=SideloadOnly /p:AppxBundle=Never /p:GenerateAppxPackageOnBuild=true /p:SelfContainedIfPreviewWASDK=true /p:LafPublisherId=$(LAF_PUBLISHER_ID) /p:LafToken=$(LAF_TOKEN)
   displayName: Build - ${{ parameters.dotnet_platform }}
+- task: CodeQL3000Finalize@0
+  displayName: 'CodeQL Finalize'
 - ${{ if eq(parameters.publishSymbols, true) }}:
   - task: PublishSymbols@2
     displayName: Publish Symbols - ${{ parameters.dotnet_platform }}

From 8b518538f7dee3d857be52416ccf796240571c29 Mon Sep 17 00:00:00 2001
From: Hao Liu <liuhao3418@gmail.com>
Date: Wed, 3 Jun 2026 16:21:29 +0800
Subject: [PATCH 4/7] SFI: pin EmitCompilerGeneratedFiles=false via
 TreatAsLocalProperty so CodeQL tracer cannot override it

---
 AIDevGallery/AIDevGallery.csproj | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/AIDevGallery/AIDevGallery.csproj b/AIDevGallery/AIDevGallery.csproj
index 249498f3..bf72370c 100644
--- a/AIDevGallery/AIDevGallery.csproj
+++ b/AIDevGallery/AIDevGallery.csproj
@@ -1,4 +1,4 @@
-<Project Sdk="Microsoft.NET.Sdk">
+<Project Sdk="Microsoft.NET.Sdk" TreatAsLocalProperty="EmitCompilerGeneratedFiles">
   <PropertyGroup>
     <OutputType>WinExe</OutputType>
     <TargetFramework>net9.0-windows10.0.26100.0</TargetFramework>

From 29a31aa4152c3ad1d3f3f21523adb7806568eacf Mon Sep 17 00:00:00 2001
From: Hao Liu <liuhao3418@gmail.com>
Date: Wed, 3 Jun 2026 17:09:50 +0800
Subject: [PATCH 5/7] SFI: disable 1ESPT compiled auto-injection (explicit
 CodeQL Init/Finalize in build.yaml owns C#)

---
 .pipelines/ci.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.pipelines/ci.yml b/.pipelines/ci.yml
index f1ce289a..b1b9e384 100644
--- a/.pipelines/ci.yml
+++ b/.pipelines/ci.yml
@@ -40,7 +40,7 @@ extends:
         os: windows
       codeql:
         compiled:
-          enabled: true
+          enabled: false
         buildIdentifier: 'Build_$(System.JobAttempt)'
         runSourceLanguagesInSourceAnalysis: true
     stages:

From df3397291c82e9310efd498dd94c98667effb355 Mon Sep 17 00:00:00 2001
From: Hao Liu <liuhao3418@gmail.com>
Date: Wed, 3 Jun 2026 17:18:40 +0800
Subject: [PATCH 6/7] SFI: mirror CodeQL config in release.yml (explicit
 Init/Finalize owns C#, attempt-scoped buildIdentifier)

---
 .pipelines/release.yml | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/.pipelines/release.yml b/.pipelines/release.yml
index 67d76156..1da1f605 100644
--- a/.pipelines/release.yml
+++ b/.pipelines/release.yml
@@ -32,6 +32,11 @@ extends:
         name: Azure-Pipelines-1ESPT-ExDShared
         image: windows-latest
         os: windows
+      codeql:
+        compiled:
+          enabled: false
+        buildIdentifier: 'Build_$(System.JobAttempt)'
+        runSourceLanguagesInSourceAnalysis: true
     stages:
     - stage: Build
       jobs:

From 06c19296010c3d49762d8789674da4d2c2c50970 Mon Sep 17 00:00:00 2001
From: Hao Liu <liuhao3418@gmail.com>
Date: Wed, 3 Jun 2026 17:47:14 +0800
Subject: [PATCH 7/7] SFI: address PR review (Finalize condition: always(),
 document EmitCompilerGeneratedFiles pin)

---
 .pipelines/templates/build.yaml  | 1 +
 AIDevGallery/AIDevGallery.csproj | 1 +
 2 files changed, 2 insertions(+)

diff --git a/.pipelines/templates/build.yaml b/.pipelines/templates/build.yaml
index bcefd2d4..ef07348d 100644
--- a/.pipelines/templates/build.yaml
+++ b/.pipelines/templates/build.yaml
@@ -23,6 +23,7 @@ steps:
   displayName: Build - ${{ parameters.dotnet_platform }}
 - task: CodeQL3000Finalize@0
   displayName: 'CodeQL Finalize'
+  condition: always()
 - ${{ if eq(parameters.publishSymbols, true) }}:
   - task: PublishSymbols@2
     displayName: Publish Symbols - ${{ parameters.dotnet_platform }}
diff --git a/AIDevGallery/AIDevGallery.csproj b/AIDevGallery/AIDevGallery.csproj
index bf72370c..83fedc29 100644
--- a/AIDevGallery/AIDevGallery.csproj
+++ b/AIDevGallery/AIDevGallery.csproj
@@ -20,6 +20,7 @@
     <!-- TODO: Fix IDisposableAnalyzers warnings from Microsoft.AI.Foundry.Local.WinML transitive dependency in next PR -->
     <NoWarn>$(NoWarn);IDISP001;IDISP002;IDISP003;IDISP004;IDISP006;IDISP007;IDISP008;IDISP017;IDISP025</NoWarn>
     <IsAotCompatible>true</IsAotCompatible>
+    <!-- Pinned via TreatAsLocalProperty on <Project> so the CodeQL tracer can't override it; enabling it causes CS0016 build failures with WinRTAotSourceGenerator. -->
     <EmitCompilerGeneratedFiles>false</EmitCompilerGeneratedFiles>
     <TrimmerRootDescriptor>SamplesRoots.xml</TrimmerRootDescriptor>
     <!-- The *first* DefineConstants is removed during Official Release Builds (.pipelines/Unstub.ps1)-->