Cherry-pick PR PowerShell#26322 with conflicts for manual resolution

Author: Copilot

.github/workflows/analyze-reusable.yml

@@ -0,0 +1,76 @@
+name: CodeQL Analysis (Reusable)
+
+on:
+  workflow_call:
+    inputs:
+      runner_os:
+        description: 'Runner OS for CodeQL analysis'
+        type: string
+        required: false
+        default: ubuntu-latest
+
+permissions:
+  actions: read  # for github/codeql-action/init to get workflow details
+  contents: read  # for actions/checkout to fetch code
+  security-events: write  # for github/codeql-action/analyze to upload SARIF results
+
+env:
+  DOTNET_CLI_TELEMETRY_OPTOUT: 1
+  DOTNET_NOLOGO: 1
+  POWERSHELL_TELEMETRY_OPTOUT: 1
+  __SuppressAnsiEscapeSequences: 1
+  nugetMultiFeedWarnLevel: none
+
+jobs:
+  analyze:
+    name: Analyze
+    runs-on: ${{ inputs.runner_os }}
+
+    strategy:
+      fail-fast: false
+      matrix:
+        # Override automatic language detection by changing the below list
+        # Supported options are ['csharp', 'cpp', 'go', 'java', 'javascript', 'python']
+        language: ['csharp']
+        # Learn more...
+        # https://docs.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning#overriding-automatic-language-detection
+
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      with:
+        fetch-depth: '0'
+
+    - uses: actions/setup-dotnet@v5
+      with:
+        global-json-file: ./global.json
+
+    # Initializes the CodeQL tools for scanning.
+    - name: Initialize CodeQL
+      uses: github/codeql-action/init@4e94bd11f71e507f7f87df81788dff88d1dacbfb # v3.29.5
+      with:
+        languages: ${{ matrix.language }}
+        # If you wish to specify custom queries, you can do so here or in a config file.
+        # By default, queries listed here will override any specified in a config file.
+        # Prefix the list here with "+" to use these queries and those in the config file.
+        # queries: ./path/to/local/query, your-org/your-repo/queries@main
+
+    - run: |
+        Get-ChildItem -Path env: | Out-String -width 9999 -Stream | write-Verbose -Verbose
+      name: Capture Environment
+      shell: pwsh
+
+    - run: |
+        Import-Module .\tools\ci.psm1
+        Invoke-CIInstall -SkipUser
+      name: Bootstrap
+      shell: pwsh
+
+    - run: |
+        Import-Module .\tools\ci.psm1
+        Invoke-CIBuild -Configuration 'StaticAnalysis'
+      name: Build
+      shell: pwsh
+
+    - name: Perform CodeQL Analysis
+      uses: github/codeql-action/analyze@4e94bd11f71e507f7f87df81788dff88d1dacbfb # v3.29.5

.github/workflows/linux-ci.yml

@@ -160,14 +160,10 @@ jobs:
         uses: "./.github/actions/test/verify_xunit"
 
   analyze:
-    permissions:
-      actions: read  # for github/codeql-action/init to get workflow details
-      contents: read  # for actions/checkout to fetch code
-      security-events: write  # for github/codeql-action/analyze to upload SARIF results
-    name: Analyze
-    runs-on: ubuntu-latest
+    name: CodeQL Analysis
     needs: changes
     if: ${{ needs.changes.outputs.source == 'true' }}
+<<<<<<< HEAD
 
     strategy:
       fail-fast: false
@@ -217,6 +213,15 @@ jobs:
 
     - name: Perform CodeQL Analysis
       uses: github/codeql-action/analyze@df409f7d9260372bd5f19e5b04e83cb3c43714ae # v3.27.9
+=======
+    uses: ./.github/workflows/analyze-reusable.yml
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+    with:
+      runner_os: ubuntu-latest
+>>>>>>> 5e5e17766 (Refactor analyze job to reusable workflow and enable on Windows CI (#26322))
 
   ready_to_merge:
     name: Linux ready to merge

.github/workflows/windows-ci.yml

@@ -148,6 +148,7 @@ jobs:
       - ci_build
       - changes
     if: ${{ needs.changes.outputs.source == 'true' }}
+<<<<<<< HEAD
     runs-on: windows-latest
     steps:
       - name: checkout
@@ -156,6 +157,29 @@ jobs:
           fetch-depth: 1000
       - name: Verify xUnit test results
         uses: "./.github/actions/test/verify_xunit"
+=======
+    uses: ./.github/workflows/xunit-tests.yml
+    with:
+      runner_os: windows-latest
+      test_results_artifact_name: testResults-xunit
+  analyze:
+    name: CodeQL Analysis
+    needs: changes
+    if: ${{ needs.changes.outputs.source == 'true' }}
+    uses: ./.github/workflows/analyze-reusable.yml
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+    with:
+      runner_os: windows-latest
+  windows_packaging:
+    name: Windows Packaging
+    needs:
+      - changes
+    if: ${{ needs.changes.outputs.packagingChanged == 'true' }}
+    uses: ./.github/workflows/windows-packaging-reusable.yml
+>>>>>>> 5e5e17766 (Refactor analyze job to reusable workflow and enable on Windows CI (#26322))
   ready_to_merge:
     name: windows ready to merge
     needs:
@@ -164,6 +188,11 @@ jobs:
       - windows_test_elevated_others
       - windows_test_unelevated_ci
       - windows_test_unelevated_others
+<<<<<<< HEAD
+=======
+      - analyze
+      - windows_packaging
+>>>>>>> 5e5e17766 (Refactor analyze job to reusable workflow and enable on Windows CI (#26322))
     if: always()
     uses: PowerShell/compliance/.github/workflows/[email protected]
     with:

tools/ci.psm1

@@ -101,6 +101,11 @@ function Invoke-CIFull
 # Implements the CI 'build_script' step
 function Invoke-CIBuild
 {
+    param(
+        [ValidateSet('Debug', 'Release', 'CodeCoverage', 'StaticAnalysis')]
+        [string]$Configuration = 'Release'
+    )
+
     $releaseTag = Get-ReleaseTag
     # check to be sure our test tags are correct
     $result = Get-PesterTag
@@ -115,7 +120,7 @@ function Invoke-CIBuild
         Start-PSBuild -Configuration 'CodeCoverage' -PSModuleRestore -CI -ReleaseTag $releaseTag
     }
 
-    Start-PSBuild -PSModuleRestore -Configuration 'Release' -CI -ReleaseTag $releaseTag -UseNuGetOrg
+    Start-PSBuild -PSModuleRestore -Configuration $Configuration -CI -ReleaseTag $releaseTag -UseNuGetOrg
     Save-PSOptions
 
     $options = (Get-PSOptions)