Add CodeQL analysis to code quality report

[Copilot]

Pull Request

Description

Integrates CodeQL security-and-quality analysis into the build pipeline and code quality documentation. The CodeQL job runs in parallel with builds, exports SARIF results, and generates a markdown report via SarifMark that's included in the compiled quality PDF alongside SonarCloud metrics. Quality reports are displayed to the console during the build-docs job for visibility.

Key changes:

• Workflow: New codeql job performs static analysis and exports SARIF artifact
• Documentation: build-docs job now downloads SARIF and generates codeql-quality.md using SarifMark
• Configuration: CodeQL config excludes test files from path-combine analysis
• Tooling: Added demaconsulting.sarifmark 1.0.1 to dotnet tools
• Permissions: Added required permissions (actions: read, security-events: write) to calling workflows (build_on_push.yaml and release.yaml) to support CodeQL analysis
• Console Output: Added steps to display both CodeQL and SonarCloud quality reports to console during build-docs job

Type of Change

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• Documentation update
• Code quality improvement

Related Issues

Implements CodeQL integration as requested in feature request.

Pre-Submission Checklist

Before submitting this pull request, ensure you have completed the following:

Build and Test

• Code builds successfully: dotnet build --configuration Release
• All tests pass: dotnet test --configuration Release
• Code produces zero warnings

Code Quality

• Code formatting is correct: dotnet format --verify-no-changes
• New code has appropriate XML documentation comments
• Static analyzer warnings have been addressed

Quality Checks

Please run the following checks before submitting:

• Spell checker passes: cspell "**/*.{md,cs}"
• Markdown linter passes: markdownlint "**/*.md"
• YAML linter passes: yamllint '**/*.{yml,yaml}'

Testing

• Added unit tests for new functionality
• Updated existing tests if behavior changed
• All tests follow the AAA (Arrange, Act, Assert) pattern
• Test coverage is maintained or improved

Documentation

• Updated README.md (if applicable)
• Updated ARCHITECTURE.md (if applicable)
• Added code examples for new features (if applicable)
• Updated requirements.yaml (if applicable)

Additional Notes

Implementation follows the pattern established in demaconsulting/SarifMark. The CodeQL job runs independently and only blocks documentation generation, not the main build/test/integration pipeline.

The calling workflows (build_on_push.yaml and release.yaml) have been updated with the necessary permissions to support the CodeQL analysis workflow, ensuring proper artifact access and security event uploads.

Quality reports are displayed to the console during the build-docs job with clear section headers ("=== CodeQL Quality Report ===" and "=== SonarCloud Quality Report ==="), matching the pattern used in the SarifMark project for improved visibility and debugging.

Original prompt

---

This section details on the original issue you should resolve

<issue_title>[Feature]: Add CodeQL analysis to code quality</issue_title>
<issue_description>### Problem Statement

The Code Quality report should include CodeQL results

Proposed Solution

The following approach should be used to get CodeQL code quality reports. Note that the https://github.com/demaconsulting/SarifMark project itself demonstrates some of these steps:

• Add DemaConsulting.SarifMark 1.0.1 to the dotnet-tools
• Modify the build.yaml to run the codeql job and archive the exported SARIF report.
• Modify the build-docs job to depend on the codeql job and run SarifMark to generate docs/quality/codeql-quality.md (review the SarifMark project for reference)
• Modify the Code Quality compiled pandoc/weasyprint document to include the codeql-quality.md generated file

Alternatives Considered

No response

Usage Examples

Benefits

Improved code quality report

Priority

Low - Nice to have

Willingness to Contribute

Yes, I can submit a pull request

Additional Context

No response

Checklist

• I have searched existing issues to ensure this is not a duplicate
• I have provided a clear description of the feature
• I have explained why this feature would be useful</issue_description>

Comments on the Issue (you are @copilot in this section)

• Fixes [Feature]: Add CodeQL analysis to code quality #63

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

[Malcolmnixon]

@copilot Remember that the workflows that call build.yaml need the new permissions

[Copilot]

@copilot Remember that the workflows that call build.yaml need the new permissions

Added the required permissions (actions: read and security-events: write) to both calling workflows in commit a0796f0.

[Malcolmnixon]

Please print the quality reports to the console as part of the build-docs job just like SarifMarks build-docs

[Copilot]

Please print the quality reports to the console as part of the build-docs job just like SarifMarks build-docs

Added console output steps for both CodeQL and SonarCloud quality reports in commit 29d9010. The reports are now displayed with clear headers ("=== CodeQL Quality Report ===" and "=== SonarCloud Quality Report ===") following the same pattern as the SarifMark build workflow.