Merged PR 792194: Run CodeQL only in CodeQL pipeline and enable bug filing

Run CodeQL only in CodeQL pipeline and enable bug filing. In addition to this PR, a change was made to disable CodeQL in `RunCheckInTests BuildXL PR Validation` pipeline (it's not yaml-based)

.azdo/1espt-integration/linux/pipeline.yml

@@ -1,7 +1,5 @@
 # Pipeline to serve as canary test for 1ESPipelines.
 # This pipeline exercises the Unofficial template with the BuildXL workflow, running a distributed linux build
-variables:
-  Codeql.Enabled: false
 trigger: none  # Explicitly scheduled
 parameters:
 - name: type
@@ -26,6 +24,10 @@ extends:
         name: Windows-SDL-Agents
         image: Windows-SDL-Image
         os: windows
+      codeql:
+        compiled:
+          enabled: false
+          justificationForDisabling: 'CodeQL would not be effective on this pipeline because builds are incremental and distributed. We have a dedicated pipeline for CodeQL.'
 
     stages:
     - stage: Linux

.azdo/compliance/codeql.yml

@@ -6,7 +6,10 @@ variables:
     value: $(Build.SourcesDirectory)\Out\Logs
   - name: Codeql.Enabled
     value: true
-    # YarnTool is an external tool
+  # Enable bug filing for CodeQL issues
+  - name: Codeql.TSAEnabled
+    value: true
+  # YarnTool is an external tool
   - name: Codeql.ExcludePathPatterns
     value: "Out/frontend/Download/YarnTool"
 

.azdo/maintenance/azure-pipelines.yml

@@ -14,6 +14,9 @@ resources:
       name: CloudBuild
 
 variables:
+  # We have a separate pipeline that runs clean builds to get full CodeQL coverage.
+  - name: Codeql.Enabled
+    value: "false"
   # CodeQL scans for Cloudbuild repo should be performed elsewhere.
   # CB repo is checked out into $(Build.SourcesDirectory)/CloudBuild. CodeQL is using $(Build.SourcesDirectory) as a source root.
   # Add the top-level directory to the exclude list to exclude the whole CloudBuild repo.