From 8f8c003a3393de9266d575b94c67f6f0ac4b0404 Mon Sep 17 00:00:00 2001
From: Niels Lohmann <mail@nlohmann.me>
Date: Fri, 31 Oct 2025 14:22:21 +0100
Subject: [PATCH 1/5] Add Microsoft C++ Code Analysis workflow

Signed-off-by: Niels Lohmann <mail@nlohmann.me>
---
 .github/workflows/msvc.yml | 66 ++++++++++++++++++++++++++++++++++++++
 1 file changed, 66 insertions(+)
 create mode 100644 .github/workflows/msvc.yml

diff --git a/.github/workflows/msvc.yml b/.github/workflows/msvc.yml
new file mode 100644
index 0000000000..400608cbd7
--- /dev/null
+++ b/.github/workflows/msvc.yml
@@ -0,0 +1,66 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+#
+# Find more information at:
+# https://github.com/microsoft/msvc-code-analysis-action
+
+name: Microsoft C++ Code Analysis
+
+on:
+  push:
+    branches: [ "develop" ]
+  pull_request:
+    branches: [ "develop" ]
+  schedule:
+    - cron: '44 17 * * 1'
+
+env:
+  # Path to the CMake build directory.
+  build: '${{ github.workspace }}/build'
+
+permissions:
+  contents: read
+
+jobs:
+  analyze:
+    permissions:
+      contents: read # for actions/checkout to fetch code
+      security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
+      actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
+    name: Analyze
+    runs-on: windows-latest
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Configure CMake
+        run: cmake -B ${{ env.build }}
+
+      # Build is not required unless generated source files are used
+      # - name: Build CMake
+      #   run: cmake --build ${{ env.build }}
+
+      - name: Initialize MSVC Code Analysis
+        uses: microsoft/msvc-code-analysis-action@04825f6d9e00f87422d6bf04e1a38b1f3ed60d99
+        # Provide a unique ID to access the sarif output path
+        id: run-analysis
+        with:
+          cmakeBuildDirectory: ${{ env.build }}
+          # Ruleset file that will determine what checks will be run
+          ruleset: NativeRecommendedRules.ruleset
+
+      # Upload SARIF file to GitHub Code Scanning Alerts
+      - name: Upload SARIF to GitHub
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: ${{ steps.run-analysis.outputs.sarif }}
+
+      # Upload SARIF file as an Artifact to download and view
+      # - name: Upload SARIF as an Artifact
+      #   uses: actions/upload-artifact@v4
+      #   with:
+      #     name: sarif-file
+      #     path: ${{ steps.run-analysis.outputs.sarif }}

From 0899505e14558fbfafe56dbd9727a45c80b4db07 Mon Sep 17 00:00:00 2001
From: Niels Lohmann <mail@nlohmann.me>
Date: Fri, 31 Oct 2025 14:50:38 +0100
Subject: [PATCH 2/5] Fix SARIF file handling in GitHub workflow

Patch SARIF file for GitHub upload and update upload step.

Signed-off-by: Niels Lohmann <mail@nlohmann.me>
---
 .github/workflows/msvc.yml | 18 +++++++++---------
 1 file changed, 9 insertions(+), 9 deletions(-)

diff --git a/.github/workflows/msvc.yml b/.github/workflows/msvc.yml
index 400608cbd7..f38ff6ae06 100644
--- a/.github/workflows/msvc.yml
+++ b/.github/workflows/msvc.yml
@@ -52,15 +52,15 @@ jobs:
           # Ruleset file that will determine what checks will be run
           ruleset: NativeRecommendedRules.ruleset
 
-      # Upload SARIF file to GitHub Code Scanning Alerts
+      - name: Patch SARIF for GitHub upload
+        shell: pwsh
+        run: |
+          $sarif = Get-Content "${{ steps.run-analysis.outputs.sarif }}" -Raw | ConvertFrom-Json
+          $i = 0
+          foreach ($run in $sarif.runs) { $run.properties.category = "run-$i"; $i++ }
+          $sarif | ConvertTo-Json -Depth 100 | Out-File -Encoding utf8 "${{ env.build }}/results_fixed.sarif"
+
       - name: Upload SARIF to GitHub
         uses: github/codeql-action/upload-sarif@v3
         with:
-          sarif_file: ${{ steps.run-analysis.outputs.sarif }}
-
-      # Upload SARIF file as an Artifact to download and view
-      # - name: Upload SARIF as an Artifact
-      #   uses: actions/upload-artifact@v4
-      #   with:
-      #     name: sarif-file
-      #     path: ${{ steps.run-analysis.outputs.sarif }}
+          sarif_file: ${{ env.build }}/results_fixed.sarif

From 429a5170a1bd6f0336680ca5f9693e19282b15bc Mon Sep 17 00:00:00 2001
From: Niels Lohmann <mail@nlohmann.me>
Date: Fri, 31 Oct 2025 17:54:26 +0100
Subject: [PATCH 3/5] Refactor SARIF upload steps in workflow

Signed-off-by: Niels Lohmann <mail@nlohmann.me>
---
 .github/workflows/msvc.yml | 20 ++++++++++----------
 1 file changed, 10 insertions(+), 10 deletions(-)

diff --git a/.github/workflows/msvc.yml b/.github/workflows/msvc.yml
index f38ff6ae06..714bc16976 100644
--- a/.github/workflows/msvc.yml
+++ b/.github/workflows/msvc.yml
@@ -52,15 +52,15 @@ jobs:
           # Ruleset file that will determine what checks will be run
           ruleset: NativeRecommendedRules.ruleset
 
-      - name: Patch SARIF for GitHub upload
-        shell: pwsh
-        run: |
-          $sarif = Get-Content "${{ steps.run-analysis.outputs.sarif }}" -Raw | ConvertFrom-Json
-          $i = 0
-          foreach ($run in $sarif.runs) { $run.properties.category = "run-$i"; $i++ }
-          $sarif | ConvertTo-Json -Depth 100 | Out-File -Encoding utf8 "${{ env.build }}/results_fixed.sarif"
+      # Upload SARIF file to GitHub Code Scanning Alerts
+      #- name: Upload SARIF to GitHub
+      #  uses: github/codeql-action/upload-sarif@v3
+      #  with:
+      #    sarif_file: ${{ steps.run-analysis.outputs.sarif }}
 
-      - name: Upload SARIF to GitHub
-        uses: github/codeql-action/upload-sarif@v3
+      # Upload SARIF file as an Artifact to download and view
+      - name: Upload SARIF as an Artifact
+        uses: actions/upload-artifact@v4
         with:
-          sarif_file: ${{ env.build }}/results_fixed.sarif
+          name: sarif-file
+          path: ${{ steps.run-analysis.outputs.sarif }}

From c3d43415f53e79bab533e8035e6224117eab83b2 Mon Sep 17 00:00:00 2001
From: Niels Lohmann <mail@nlohmann.me>
Date: Sun, 2 Nov 2025 21:56:28 +0100
Subject: [PATCH 4/5] :alembic: fix SARIF file

Signed-off-by: Niels Lohmann <mail@nlohmann.me>
---
 .github/workflows/msvc.yml | 41 +++++++++++++++++++++++++++++---------
 1 file changed, 32 insertions(+), 9 deletions(-)

diff --git a/.github/workflows/msvc.yml b/.github/workflows/msvc.yml
index 714bc16976..3b1e69e3f7 100644
--- a/.github/workflows/msvc.yml
+++ b/.github/workflows/msvc.yml
@@ -52,15 +52,38 @@ jobs:
           # Ruleset file that will determine what checks will be run
           ruleset: NativeRecommendedRules.ruleset
 
+      - name: Patch SARIF with unique categories
+        shell: pwsh
+        run: |
+          $sarifPath = "${{ steps.run-analysis.outputs.sarif }}"
+          $outputPath = "${{ env.build }}\results_fixed.sarif"
+          
+          $sarif = Get-Content $sarifPath -Raw | ConvertFrom-Json
+          
+          for ($i = 0; $i -lt $sarif.runs.Count; $i++) {
+            $run = $sarif.runs[$i]
+          
+            # Ensure properties exists
+            if ($null -eq $run.PSObject.Properties['properties']) {
+              $run | Add-Member -NotePropertyName 'properties' -NotePropertyValue @{}
+            }
+          
+            # Add or overwrite category
+            $run.properties['category'] = "run-$i"
+          }
+          
+          $sarif | ConvertTo-Json -Depth 200 | Set-Content -Encoding utf8 $outputPath
+          Write-Host "✅ Wrote patched SARIF to $outputPath"
+
       # Upload SARIF file to GitHub Code Scanning Alerts
-      #- name: Upload SARIF to GitHub
-      #  uses: github/codeql-action/upload-sarif@v3
-      #  with:
-      #    sarif_file: ${{ steps.run-analysis.outputs.sarif }}
+      - name: Upload SARIF to GitHub
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: ${{ env.build }}/results_fixed.sarif
 
       # Upload SARIF file as an Artifact to download and view
-      - name: Upload SARIF as an Artifact
-        uses: actions/upload-artifact@v4
-        with:
-          name: sarif-file
-          path: ${{ steps.run-analysis.outputs.sarif }}
+      #- name: Upload SARIF as an Artifact
+      #  uses: actions/upload-artifact@v4
+      #  with:
+      #    name: sarif-file
+      #    path: ${{ steps.run-analysis.outputs.sarif }}

From d927807e5d9b8c990a2d1116b1c930cf50f4ae02 Mon Sep 17 00:00:00 2001
From: Niels Lohmann <mail@nlohmann.me>
Date: Mon, 3 Nov 2025 10:21:13 +0100
Subject: [PATCH 5/5] Adjust JSON depth for SARIF output

Reduced JSON depth for SARIF conversion from 200 to 100.

Signed-off-by: Niels Lohmann <mail@nlohmann.me>
---
 .github/workflows/msvc.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/msvc.yml b/.github/workflows/msvc.yml
index 3b1e69e3f7..8d98d6e6e0 100644
--- a/.github/workflows/msvc.yml
+++ b/.github/workflows/msvc.yml
@@ -72,7 +72,7 @@ jobs:
             $run.properties['category'] = "run-$i"
           }
           
-          $sarif | ConvertTo-Json -Depth 200 | Set-Content -Encoding utf8 $outputPath
+          $sarif | ConvertTo-Json -Depth 100 | Set-Content -Encoding utf8 $outputPath
           Write-Host "✅ Wrote patched SARIF to $outputPath"
 
       # Upload SARIF file to GitHub Code Scanning Alerts