From d7b498bd0ea01347034fcdd4a4c7a659b73d36e2 Mon Sep 17 00:00:00 2001
From: Daniel Schaefer <dhs@frame.work>
Date: Wed, 12 Feb 2025 09:53:17 +0800
Subject: [PATCH 1/6] gh-actions: Run codeql

Signed-off-by: Daniel Schaefer <dhs@frame.work>
---
 .github/workflows/codeql.yml | 61 ++++++++++++++++++++++++++++++++++++
 1 file changed, 61 insertions(+)
 create mode 100644 .github/workflows/codeql.yml

diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
new file mode 100644
index 0000000..8dec016
--- /dev/null
+++ b/.github/workflows/codeql.yml
@@ -0,0 +1,61 @@
+# This workflow runs the latest CodeQL CLI and checks against CodeQL's Cpp library.
+# This is the source for the GitHub Security Code Scanning job.
+
+name: "CodeQL Analysis"
+
+on:
+  push:
+    branches:
+      - main
+      - develop
+    paths-ignore:
+      - '**.md'
+      - 'LICENSE'
+  pull_request:
+    # The branches below must be a subset of the branches above
+    branches:
+      - main
+      - develop
+    paths-ignore:
+      - '**.md'
+      - 'LICENSE'
+    
+  # Allow manual scheduling
+  workflow_dispatch:
+
+jobs:
+  analyze:
+    name: Analysis
+    runs-on: windows-latest
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+
+    strategy:
+      fail-fast: false
+      matrix:
+        language: [ 'cpp' ]
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          submodules: 'recursive'
+      - name: Install Nuget Packages
+        run: nuget restore .\packages.config -PackagesDirectory .\packages\
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v3
+        with:
+          languages: ${{ matrix.language }}
+          config-file: microsoft/Windows-Driver-Developer-Supplemental-Tools/config/codeql-config.yml@development
+          packs: +microsoft/windows-drivers@1.2.0-beta
+      - name: Retrieve and build all available solutions
+        run: |
+          msbuild FrameworkSensors\FrameworkSensors.sln /property:Configuration=Debug /property:Platform=x64
+
+      - name: Perform CodeQL analysis
+        uses: github/codeql-action/analyze@v3
+        with:
+          category: "/language:${{matrix.language}}"

From 0c75d06463d807f45e2457156789bfefc3f776f9 Mon Sep 17 00:00:00 2001
From: Daniel Schaefer <dhs@frame.work>
Date: Wed, 12 Feb 2025 09:54:51 +0800
Subject: [PATCH 2/6] gh-actions: Run codeql on all branches

Signed-off-by: Daniel Schaefer <dhs@frame.work>
---
 .github/workflows/codeql.yml | 11 -----------
 1 file changed, 11 deletions(-)

diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index 8dec016..5833fbf 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -5,17 +5,6 @@ name: "CodeQL Analysis"
 
 on:
   push:
-    branches:
-      - main
-      - develop
-    paths-ignore:
-      - '**.md'
-      - 'LICENSE'
-  pull_request:
-    # The branches below must be a subset of the branches above
-    branches:
-      - main
-      - develop
     paths-ignore:
       - '**.md'
       - 'LICENSE'

From aad66650736ac39784c8efa28c65dfbd588ccc5e Mon Sep 17 00:00:00 2001
From: Daniel Schaefer <dhs@frame.work>
Date: Wed, 12 Feb 2025 10:01:44 +0800
Subject: [PATCH 3/6] gh-actions: Don't need to install nuget pkgs for codeql

Signed-off-by: Daniel Schaefer <dhs@frame.work>
---
 .github/workflows/codeql.yml | 5 +----
 1 file changed, 1 insertion(+), 4 deletions(-)

diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index 5833fbf..ca84466 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -29,10 +29,6 @@ jobs:
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4
-        with:
-          submodules: 'recursive'
-      - name: Install Nuget Packages
-        run: nuget restore .\packages.config -PackagesDirectory .\packages\
 
       - name: Initialize CodeQL
         uses: github/codeql-action/init@v3
@@ -40,6 +36,7 @@ jobs:
           languages: ${{ matrix.language }}
           config-file: microsoft/Windows-Driver-Developer-Supplemental-Tools/config/codeql-config.yml@development
           packs: +microsoft/windows-drivers@1.2.0-beta
+
       - name: Retrieve and build all available solutions
         run: |
           msbuild FrameworkSensors\FrameworkSensors.sln /property:Configuration=Debug /property:Platform=x64

From ca126a57a424d8a14810beb96faac06502092953 Mon Sep 17 00:00:00 2001
From: Daniel Schaefer <dhs@frame.work>
Date: Wed, 11 Mar 2026 00:33:32 +0800
Subject: [PATCH 4/6] codeql: Cleanup and modernization

Signed-off-by: Daniel Schaefer <dhs@frame.work>
---
 .github/workflows/codeql.yml | 32 ++++++++++----------------------
 1 file changed, 10 insertions(+), 22 deletions(-)

diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index ca84466..2294b9c 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -1,6 +1,3 @@
-# This workflow runs the latest CodeQL CLI and checks against CodeQL's Cpp library.
-# This is the source for the GitHub Security Code Scanning job.
-
 name: "CodeQL Analysis"
 
 on:
@@ -8,40 +5,31 @@ on:
     paths-ignore:
       - '**.md'
       - 'LICENSE'
-    
-  # Allow manual scheduling
-  workflow_dispatch:
 
 jobs:
-  analyze:
-    name: Analysis
-    runs-on: windows-latest
+  codeql:
+    runs-on: windows-2022
     permissions:
-      actions: read
-      contents: read
       security-events: write
-
-    strategy:
-      fail-fast: false
-      matrix:
-        language: [ 'cpp' ]
-
     steps:
-      - name: Checkout repository
+      - name: Check out repository code
         uses: actions/checkout@v4
 
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@v3
+        uses: github/codeql-action/init@v4
         with:
           languages: ${{ matrix.language }}
           config-file: microsoft/Windows-Driver-Developer-Supplemental-Tools/config/codeql-config.yml@development
           packs: +microsoft/windows-drivers@1.2.0-beta
 
-      - name: Retrieve and build all available solutions
+      - name: Add MSBuild to PATH
+        uses: microsoft/setup-msbuild@v2
+
+      - name: Build solution
         run: |
-          msbuild FrameworkSensors\FrameworkSensors.sln /property:Configuration=Debug /property:Platform=x64
+          msbuild FrameworkSensors\FrameworkSensors.sln /property:Configuration=Release /property:Platform=x64
 
       - name: Perform CodeQL analysis
-        uses: github/codeql-action/analyze@v3
+        uses: github/codeql-action/analyze@v4
         with:
           category: "/language:${{matrix.language}}"

From 4f3c44ec06a51a691ae120d2facc704e5094bd0d Mon Sep 17 00:00:00 2001
From: Daniel Schaefer <dhs@frame.work>
Date: Wed, 11 Mar 2026 00:34:41 +0800
Subject: [PATCH 5/6] codql: Upload Sarif and DVL

Signed-off-by: Daniel Schaefer <dhs@frame.work>
---
 .github/workflows/codeql.yml | 19 ++++++++++++++++++-
 1 file changed, 18 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index 2294b9c..6cf7e3f 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -32,4 +32,21 @@ jobs:
       - name: Perform CodeQL analysis
         uses: github/codeql-action/analyze@v4
         with:
-          category: "/language:${{matrix.language}}"
+          output: sarif-results
+
+      - name: Upload SARIF file
+        uses: actions/upload-artifact@v4
+        with:
+          name: codeql-sarif
+          path: sarif-results
+
+      - name: Generate DVL
+        shell: cmd
+        run: |
+          "C:\Program Files (x86)\Windows Kits\10\Tools\dvl\dvl.exe" /manualCreate FrameworkSensors X64 /sarifPath sarif-results
+
+      - name: Upload DVL
+        uses: actions/upload-artifact@v4
+        with:
+          name: dvl
+          path: sarif-results/FrameworkSensors.DVL.XML

From 95a836369fd8ee6b0e194b90059db23beaea8486 Mon Sep 17 00:00:00 2001
From: Daniel Schaefer <dhs@frame.work>
Date: Wed, 11 Mar 2026 00:34:30 +0800
Subject: [PATCH 6/6] codeql: Pin version for Windows 25H2

Signed-off-by: Daniel Schaefer <dhs@frame.work>
---
 .github/codeql/codeql-config.yml | 6 ++++++
 .github/workflows/codeql.yml     | 8 +++++---
 2 files changed, 11 insertions(+), 3 deletions(-)
 create mode 100644 .github/codeql/codeql-config.yml

diff --git a/.github/codeql/codeql-config.yml b/.github/codeql/codeql-config.yml
new file mode 100644
index 0000000..4932d03
--- /dev/null
+++ b/.github/codeql/codeql-config.yml
@@ -0,0 +1,6 @@
+# CodeQL configuration for WHCP Windows 11 25H2 certification
+# See: https://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/static-tools-and-codeql
+disable-default-queries: true
+packs:
+  - microsoft/cpp-queries@0.0.4:codeql-suites/cpp-code-scanning.qls
+  - microsoft/windows-drivers@1.8.0:windows-driver-suites/recommended.qls
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index 6cf7e3f..daecb06 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -18,9 +18,11 @@ jobs:
       - name: Initialize CodeQL
         uses: github/codeql-action/init@v4
         with:
-          languages: ${{ matrix.language }}
-          config-file: microsoft/Windows-Driver-Developer-Supplemental-Tools/config/codeql-config.yml@development
-          packs: +microsoft/windows-drivers@1.2.0-beta
+          languages: cpp
+          # Pin CodeQL CLI version for WHCP Windows 11 25H2 certification
+          # See: https://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/static-tools-and-codeql
+          tools: https://github.com/github/codeql-action/releases/download/codeql-bundle-v2.20.1/codeql-bundle-win64.tar.gz
+          config-file: .github/codeql/codeql-config.yml
 
       - name: Add MSBuild to PATH
         uses: microsoft/setup-msbuild@v2