Add a new pipeline that is specifically for periodic SDL tasks like CodeQL. This is how we did it before 1ES PT, and it turns out that's still a valid way to approach CodeQL.
Even though the pipeline is classified as non-production, use the Official 1ES PT template. I didn't see a way to enable CodeQL in the Unofficial 1ES PT template, and there doesn't seem to be any reason that we must use the Unofficial template.
Remove CodeQL from the primary pipeline: enabling it there seems to cause failure during SBOM generation (https://dev.azure.com/dnceng/internal/_build/results?buildId=2414008&view=results) and also slows down the build.
Add a new pipeline that is specifically for periodic SDL tasks like CodeQL. This is how we did it before 1ES PT, and it turns out that's still a valid way to approach CodeQL.
Even though the pipeline is classified as non-production, use the Official 1ES PT template. I didn't see a way to enable CodeQL in the Unofficial 1ES PT template, and there doesn't seem to be any reason that we must use the Unofficial template.
Test runs (ongoing when I submitted the PR):