…icrosoft#98)

## Description

To enable more easily setting the stack cookie failure vector, update
the check to reference a fixed at build PCD in MdePkg.

## Breaking change?

No

## How This Was Tested

Triggering the interrupt on Q35

## Integration Instructions

N/A

## Description

Our memory protection policy is now robust enough to ensure that
platforms have no read/write/execute pages before ExitBootServices. This
update adds a test to the DxePagingAuditApp to check the page table for
RWX pages and only exempt them if the region is part of a nonprotected
image or special region.

Users can still utilize the app to dump paging data to the EFI partition
by calling the application with the '-d' flag. By default, the app will
run the RWX test.

## Breaking change?

No

## How This Was Tested

Running the test on Q35

## Integration Instructions

The test will identify RWX regions. Platforms should identify these
regions to determine if they must be RWX. If they really must be RWX,
the platform can utilize the Memory Protection Special Region Protocol
to create a special region.

## Description

Fixes microsoft#106 

GCC states `Dummy` and `FakeCertificate` may be used uninitialized since
it is not assigned an initial value before being passed to functions in
some tests.

`Dummy` Example:

```
INFO - /s/MfciPkg/MfciDxe/Test/MfciMultipleCertsHostTest.c:317:12: error: ‘Dummy’ may be used uninitialized [-Werror=maybe-uninitialized]
INFO -   317 |   Status = ValidateBlobWithXdrCertificates (&Dummy, sizeof (Dummy), NULL, sizeof (mCert_Trusted_CA_Root_xdr));
INFO -       |            ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
INFO - /s/MfciPkg/MfciDxe/Test/MfciMultipleCertsHostTest.c:144:1: note: by argument 1 of type ‘const UINT8 *’ {aka ‘const unsigned char *’} to ‘ValidateBlobWithXdrCertificates’ declared here
```

`FakeCertificate` Example:

```
INFO - /s/MfciPkg/MfciDxe/Test/MfciMultipleCertsHostTest.c:358:12: error: ‘FakeCertificate’ may be used uninitialized [-Werror=maybe-uninitialized]
INFO -   358 |   Status = ValidateBlobWithXdrCertificates (&Dummy, sizeof (Dummy), &FakeCertificate, sizeof (FakeCertificate));
INFO -       |            ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
```

This change initializes the values as necessary to prevent the error.

- [ ] Breaking change?
- Will this change break pre-existing builds or functionality without
action being taken?
  **No** - Simple GCC compilation fix

## How This Was Tested

Verified compilation before (fails as shown above) and after (does not
fail) with fix in this change.

## Integration Instructions

None - This will resolve a GCC build error that may have been
encountered in the MFCI tests.

Signed-off-by: Michael Kubacki <michael.kubacki@microsoft.com>

**edk2-pytool-library**

Updates the requirements on [edk2-pytool-library](https://github.com/tianocore/edk2-pytool-library) to permit the latest version.
- [Release notes](https://github.com/tianocore/edk2-pytool-library/releases)
- [Commits](tianocore/edk2-pytool-library@v0.11.6...v0.12.1)

---
updated-dependencies:
- dependency-name: edk2-pytool-library
  dependency-type: direct:production
...

**edk2-pytool-extensions**

Updates the requirements on [edk2-pytool-extensions](https://github.com/tianocore/edk2-pytool-extensions) to permit the latest version.
- [Release notes](https://github.com/tianocore/edk2-pytool-extensions/releases)
- [Commits](tianocore/edk2-pytool-extensions@v0.19.1...v0.20.0)

---
updated-dependencies:
- dependency-name: edk2-pytool-extensions
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>

Now that we're using dependabot, strictly manage exact version of
dependencies using an exact match instead of a "compatible release".

Compatible releases (~= syntax) are described here:

  - https://peps.python.org/pep-0440/#compatible-release

Signed-off-by: Michael Kubacki <michael.kubacki@microsoft.com>

## Description

* Add missing new line character to the end of a Debug print in MfciDxe.
* This improves readability of debug logs.

- [ ] Breaking change?
No breaking change.
- Will this change break pre-existing builds or functionality without
action being taken?

## How This Was Tested

* Verified log output is now properly formatted.

## Integration Instructions

N/A

…ft#108)

Fix a uninitialized variable usage case found when experimenting with
new clang compiler configuration. If the first `goto exit` statement is
used then a comparison will be done against the uninitialized value of
the variable

## Description
GCC compiler warns about missing braces with existing defintion of
gPciRootBridge. This change fixes that.

- [ ] Breaking change?
No

## How This Was Tested
Local build on workstation.
Ran GCC build on internal Microsoft code base.

## Integration Instructions
N/A

## Description

Enables stale bot to automatically closed old issues in this repo.
https://github.com/actions/stale

This action is largely based on a reusable workflow from Mu DevOps.

Current configuration:
  - Stale PR: After 60 days
  - Stale Issue: After 45 days
  - Days until PR and Issue close: 7 days
  - Exempt labels:
    - `impact:security`
    - `state:backlog`
    - `state:under-discussion`
  - Stale Issue label: `state:stale`
  - Stale PR label: `state:stale`
  - Comments are left when marked stale and when closed

These settings come directly from the default setting values in
the Mu DevOps reusable workflow.

Note: The `workflow_dispatch` trigger is added to allow the workflow to
be manually
invoked if ever needed.

- [ ] Breaking change?
- Will this change break pre-existing builds or functionality without
action being taken?
  **No**

## How This Was Tested

- Verified workflow on mu_basecore fork
- Example run:
https://github.com/makubacki/mu_basecore/actions/runs/3526648651
- Verified workflow in mu_basecore release/202208 branch

## Integration Instructions

N/A - Only affects the GitHub workflow in this repo

Signed-off-by: Michael Kubacki <michael.kubacki@microsoft.com>

## Description

Adds an action to automatically sync labels used in this repository
from a centralized file in Project Mu DevOps.

https://github.com/microsoft/mu_devops

New labels should be added to the `Labels.yml` file in mu_devops.

Repo-specific labels are allowed to be defined. Those can either be
created in a repo-local config YAML file (preferred) or manually
in the "Labels" section of the repo.

- [ ] Breaking change?
- Will this change break pre-existing builds or functionality without
action being taken?
  **No**

## How This Was Tested

On fork repositories.

## Integration Instructions

Now downstream integration required, only impacts this repo

Repo users should understand label definitions and read instructions
noted in this change regarding how to modify labels in the future.

Signed-off-by: Michael Kubacki <michael.kubacki@microsoft.com>

## Description

Reset notification was handled by the NVMe driver before the AdvLogger
could write the log to disk.

- [No] Breaking change?
- Will this change break pre-existing builds or functionality without
action being taken?

## How This Was Tested

Tested on multiple systems.

## Integration Instructions

N/A

…oft#113)

## Description

Removes the template from the old location (repo root).

File sync will track this file in the `.github` directory now.

- [ ] Breaking change?
- Will this change break pre-existing builds or functionality without
action being taken?
  **No**

## How This Was Tested

Code review.

## Integration Instructions

N/A

Signed-off-by: Michael Kubacki <michael.kubacki@microsoft.com>

Synced local file(s) with
[microsoft/mu_devops](https://github.com/microsoft/mu_devops).

🤖: View the [Repo File Sync Configuration
File](https://github.com/microsoft/mu_devops/blob/main/.sync/Files.yml)
to see how files are synced.

---

This PR was created automatically by the
[repo-file-sync-action](https://github.com/BetaHuhn/repo-file-sync-action)
workflow run
[#3578665266](https://github.com/microsoft/mu_devops/actions/runs/3578665266)

Signed-off-by: Project Mu UEFI Bot <uefibot@microsoft.com>

…ell image in (microsoft#116)

## Description

Add PcdShellFvGuid to allow platforms to provide FV GUID to search shell
image in

- [x] Impacts functionality?
- [ ] Impacts security?
- [ ] Breaking change?
- [ ] Includes tests?
- [ ] Includes documentation?

## How This Was Tested

When a FV GUID is provided, a default boot option for shell with the FV
device path is created. as long as the device path exists, system is
able to boot to internal UEFI shell.

If the PCD is not updated by platform and is at default value (zero
guid), then all FV's are searched and shell is located to create a boot
option device path.

## Integration Instructions

N/A

Synced local file(s) with
[microsoft/mu_devops](https://github.com/microsoft/mu_devops).

🤖: View the [Repo File Sync Configuration
File](https://github.com/microsoft/mu_devops/blob/main/.sync/Files.yml)
to see how files are synced.

---

This PR was created automatically by the
[repo-file-sync-action](https://github.com/BetaHuhn/repo-file-sync-action)
workflow run
[#3598065818](https://github.com/microsoft/mu_devops/actions/runs/3598065818)

Signed-off-by: Project Mu UEFI Bot <uefibot@microsoft.com>

## Description

Changes the matrix build job to be able to take input for the container
image used in the generic mu_devops file generated.

Will be used by: microsoft/mu_devops#59 

- [ ] Impacts functionality?
- [ ] Impacts security?
- [ ] Breaking change?
- [ ] Includes tests?
- [ ] Includes documentation?

## How This Was Tested

Tested on test pipeline with mu_devops changes made locally

## Integration Instructions

N/A

Synced local file(s) with
[microsoft/mu_devops](https://github.com/microsoft/mu_devops).

🤖: View the [Repo File Sync Configuration
File](https://github.com/microsoft/mu_devops/blob/main/.sync/Files.yml)
to see how files are synced.

---

This PR was created automatically by the
[repo-file-sync-action](https://github.com/BetaHuhn/repo-file-sync-action)
workflow run
[#3641761478](https://github.com/microsoft/mu_devops/actions/runs/3641761478)

Signed-off-by: Project Mu UEFI Bot <uefibot@microsoft.com>