python-setup: Don't allow Poetry to make venv in project

I mostly verified this works on my local machine, but did add a sample `poetry.toml` to the tests, so it can be verified from looking at the logs 🤷

python-setup/auto_install_packages.py

@@ -33,10 +33,16 @@ def _check_output(command, extra_env={}):
 
 def install_packages_with_poetry():
 
-    # To handle poetry 1.2, which started to use keyring interaction MUCH more, we need
-    # add a workaround. See
-    # https://github.com/python-poetry/poetry/issues/2692#issuecomment-1235683370
-    extra_poetry_env = {"PYTHON_KEYRING_BACKEND": "keyring.backends.null.Keyring"}
+    extra_poetry_env = {
+        # To handle poetry 1.2, which started to use keyring interaction MUCH more, we need
+        # add a workaround. See
+        # https://github.com/python-poetry/poetry/issues/2692#issuecomment-1235683370
+        "PYTHON_KEYRING_BACKEND": "keyring.backends.null.Keyring",
+        # Projects that specify `in-project = true` in their poetry.toml would get the
+        # venv created inside the repo directory, which would cause CodeQL to consider
+        # it as user-written code. We don't want this to happen.
+        "POETRY_VIRTUALENVS_IN_PROJECT": "False",
+    }
 
     command = [sys.executable, '-m', 'poetry']
     if sys.platform.startswith('win32'):

python-setup/tests/poetry/requests-3/poetry.toml

@@ -0,0 +1,2 @@
+[virtualenvs]
+in-project = true