[main] Add CodeQL3000 tasks

[dougbu]

• cherry-pick from [3.x] Add CodeQL3000 tasks #8159 branch, with slight adjustments
• enable CodeQL in this branch
  • use explicit tasks to enable manual builds of any branch
• add a new top-level parameter to enable CodeQL3000 in manual builds
• tag CodeQL3000 builds that do actual CodeQL3000 work
• add a tsaoptions.json file
  • initial area path value is certainly wrong
  • other values may be incorrect too

Microsoft Reviewers: Open in CodeFlow

[dougbu]

Just kicked off build #20221116.4 for actual validation w/ CodeQL3000 enabled.

/cc @ReubenBond @benjaminpetit

[dougbu]

That test build ran the tasks but didn't do much because the CodeQL analysis was considered up to date. Merging this PR will

• enable manual builds to test CodeQL
• limit the number of regular builds affected by (slowed by) CodeQL to internal scheduled and, optionally, manual builds
• report bugs found in the TSA database

The middle bullet doesn't apply to #8159 because 3.x is not the repo's default branch. Only the default branch gets the tasks auto-injected (unless disabled, as I did in this PR).

[benjaminpetit]

Since we are still building on our own devops instance, should we change this value?

[dougbu]

I don't know because the documentation of this file format is sorely lacking. I suspect this is the location where areaPath lives and where TSA bugs will be filed. Suggest we probably want to keep @danmoseley's bug in the same instance. @dcwhittaker do you know more❔

[dougbu]

I believe this can be resolved since this instance is definitely where the area path lives.

[dougbu]

Rebased on main and switched to the right area path. This PR should be ready to go unless @ReubenBond's #8159 (comment) comment needs additional changes both here and there.

[dougbu]

I can't rerun workflows in this repo to clear up the unsuccessful check

[ReubenBond]

That unsuccessful check seems to be unrelated. I'm going to investigate, but we can ignore it for this PR