Add CodeQL analysis results to Code Quality report

[Copilot]

Pull Request

Description

Integrates CodeQL security analysis into the Code Quality PDF report, following the pattern established in demaconsulting/SonarMark.

Changes

• CodeQL Configuration: Added .github/codeql-config.yml with query filters for security-and-quality queries, excluding test path-combine warnings and justified exception handlers
• Build Workflow: Enhanced CodeQL job to output SARIF artifact; build-docs job now downloads SARIF and generates markdown report via SarifMark
• Tooling: Added DemaConsulting.SarifMark 1.0.1 to dotnet-tools manifest
• Documentation: Updated docs/quality/definition.yaml to include codeql-quality.md alongside sonar-quality.md
• CI Logging: Added display steps to print both CodeQL and SonarCloud quality reports to console for visibility in CI logs
• Cleanup: Removed obsolete build_docs.yaml workflow (functionality now in build.yaml)

The Code Quality PDF now contains both SonarCloud and CodeQL analysis sections, and the CI logs display the complete quality analysis reports.

Type of Change

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• Documentation update
• Code quality improvement

Related Issues

Pre-Submission Checklist

Before submitting this pull request, ensure you have completed the following:

Build and Test

• Code builds successfully: dotnet build --configuration Release
• All tests pass: dotnet test --configuration Release
• Code produces zero warnings

Code Quality

• Code formatting is correct: dotnet format --verify-no-changes
• New code has appropriate XML documentation comments
• Static analyzer warnings have been addressed

Quality Checks

Please run the following checks before submitting:

• Spell checker passes: cspell "**/*.{md,cs}"
• Markdown linter passes: markdownlint "**/*.md"
• YAML linter passes: yamllint '**/*.{yml,yaml}'

Testing

• Added unit tests for new functionality
• Updated existing tests if behavior changed
• All tests follow the AAA (Arrange, Act, Assert) pattern
• Test coverage is maintained or improved

Documentation

• Updated README.md (if applicable)
• Updated ARCHITECTURE.md (if applicable)
• Added code examples for new features (if applicable)
• Updated requirements.yaml (if applicable)

Additional Notes

No new runtime dependencies. SarifMark is a build-time tool only. CodeQL runs in CI parallel to existing build job. The quality reports are now displayed in CI logs for immediate visibility without needing to download PDF artifacts.

Original prompt

---

This section details on the original issue you should resolve

<issue_title>[Feature]: Add CodeQL analysis results to Code Quality report</issue_title>
<issue_description>### Problem Statement

The Code Quality report should include CodeQL analysis results.

Proposed Solution

Examine the https://github.com/demaconsulting/SonarMark project and review how it's added CodeQL analysis, then apply the appropriate changes to this project. The changes include:

• Ensure the codeql job in the build.yaml matches the other projects - including having a codeql-config.yml file and saving the SARIF results as artifacts
• Add DemaConsulting.SarifMark 1.0.1 to the dotnet-tools.json
• Modify the build-docs job to depend on the codeql job, download the SARIF artifact, run SarifMark and emit the docs/quality/codeql-quality.md file
• Modify the Code Quality Report pandoc definition to include the docs/quality/codeql-quality.md file
• Delete the old build_docs.yaml file - it should now be embedded in the build.yaml file
• Check for any other updates relevant to the CodeQL to Code Quality document path.

Alternatives Considered

No response

Usage Examples

Benefits

Code Quality reports.

Priority

Medium - Would improve my workflow

Willingness to Contribute

Yes, I can submit a pull request

Additional Context

No response

Checklist

• I have searched existing issues to ensure this is not a duplicate
• I have provided a clear description of the feature
• I have explained why this feature would be useful</issue_description>

Comments on the Issue (you are @copilot in this section)

• Fixes [Feature]: Add CodeQL analysis results to Code Quality report #82

---

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

[Malcolmnixon]

Also the build-docs job should print the reports to the console so the CI logs contain the results - just like the SonarMark project reviewed earlier.

[Copilot]

Also the build-docs job should print the reports to the console so the CI logs contain the results - just like the SonarMark project reviewed earlier.

Added display steps for both CodeQL and SonarCloud quality reports to print results to console. Commit: bb4fd62