Add CodeQL3000 run to aspnetcore-ci-official (#44688)

* Add CodeQL3000 run to aspnetcore-ci-official
- add new schedule for a weekly run
- add top-level parameter enabling CodeQL3000 in manual builds
- add `enableSBOM` and `variables` parameters in default-build.yml
- add a separate job w/ CodeQL3000 tasks included in build steps; run this job alone
  - use the new default-build.yml parameters
  - set `$(UseSharedCompilation)` to `false` to ease analysis
- tag CodeQL3000 runs
- add a tsaoptions.json file
  - cribbed values from our eng/sdl-tsa-vars.config file

nit: Unconditionally disable the auto-injected component governance build step
- job.yml inserts the task where we need (unless overridden)

.azure/pipelines/jobs/default-build.yml

@@ -38,6 +38,10 @@
 #       installations and enables test publication (unless enablePublishTestResults is overridden).
 #   enablePublishTestResults: boolean
 #       Determines if test results should be published. Defaults to the isAzDOTestingJob setting.
+#   enableSbom: boolean
+#       Determines if an SBOM should be created. Defaults to true. Ignored in public builds.
+#   variables: [array]
+#       Job-specific variables. Defined using either name/value pairs or a variable list (using name or group syntax).
 #
 # See https://docs.microsoft.com/en-us/vsts/pipelines/yaml-schema for details
 #
@@ -57,6 +61,8 @@ parameters:
   buildDirectory: $(System.DefaultWorkingDirectory)/eng/
   isAzDOTestingJob: false
   enablePublishTestResults: ''
+  enableSbom: true
+  variables: []
 
   configuration: 'Release'
   container: ''
@@ -94,6 +100,7 @@ jobs:
       testResultsFormat: xUnit # Have no vsTest results in any job.
     mergeTestResults: true
     testRunTitle: ${{ parameters.testRunTitle }}
+    enableSbom: ${{ parameters.enableSbom }}
     enableTelemetry: true
     helixRepo: dotnet/aspnetcore
     helixType: build.product/
@@ -154,7 +161,28 @@ jobs:
     - LANGUAGE: 'en_US.UTF-8'
     # Log environment variables in binary logs to ease debugging
     - MSBUILDLOGALLENVIRONMENTVARIABLES: true
-    - skipComponentGovernanceDetection: ${{ ne(variables['System.TeamProject'], 'internal') }}
+    # Rely on task Arcade injects, not auto-injected build step.
+    - skipComponentGovernanceDetection: true
+    - ${{ each variable in parameters.variables }}:
+      # handle a variable list using "name" and "value" properties
+      # example:
+      # - name: [key]
+      #   value: [value]
+      - ${{ if ne(variable.name, '') }}:
+        - name: ${{ variable.name }}
+          value: ${{ variable.value }}
+
+      # handle variable groups
+      - ${{ if ne(variable.group, '') }}:
+        - group: ${{ variable.group }}
+
+      # handle name/value pairs (converting them into variable list entries)
+      # example:
+      # - [name]: [value]
+      - ${{ if and(eq(variable.name, ''), eq(variable.group, '')) }}:
+        - ${{ each pair in variable }}:
+          - name: ${{ pair.key }}
+            value: ${{ pair.value }}
     steps:
     - ${{ if ne(parameters.agentOs, 'Windows') }}:
       - script: df -h

.config/tsaoptions.json

@@ -0,0 +1,12 @@
+{
+  "areaPath": "DevDiv\\ASP.NET Core",
+  "codebaseName": "AspNetCore",
+  "instanceUrl": "https://devdiv.visualstudio.com/",
+  "iterationPath": "DevDiv",
+  "notificationAliases": [
+    "aspnetcore-build@microsoft.com"
+  ],
+  "projectName": "DEVDIV",
+  "repositoryName": "AspNetCore",
+  "template": "TFSDEVDIV"
+}