[ci] Disable CodeQL on macOS, Linux, non-main jobs (#9111)

Attempt to save some build time on macOS and Linux by disabling CodeQL.
This step will still run during the Windows build job in CI, as well as
the macOS nightly build job.

An explicit branch check has also been added to ensure CodeQL only runs
against the main branch.

Author: pjcollins

build-tools/automation/azure-pipelines.yaml

@@ -74,7 +74,10 @@ extends:
       binskim:
         scanOutputDirectoryOnly: true
       codeql:
-        runSourceLanguagesInSourceAnalysis: true
+        ${{ if ne(variables['Build.SourceBranch'], 'refs/heads/main') }}:
+          compiled:
+            enabled: false
+            justificationForDisabling: CodeQL disabled for non-main branch builds
       policheck:
         enabled: false
         justification: Built in task does not support multi-language scanning

build-tools/automation/yaml-templates/build-linux.yaml

@@ -35,6 +35,11 @@ stages:
       CC: gcc-10
     ${{ if eq(parameters.use1ESTemplate, true) }}:
       templateContext:
+        sdl:
+          codeql:
+            compiled:
+              enabled: false
+              justificationForDisabling: CodeQL runs against the Windows build and nightly macOS build
         outputs:
         - output: pipelineArtifact
           displayName: upload linux sdk

build-tools/automation/yaml-templates/build-macos.yaml

@@ -43,6 +43,11 @@ stages:
       clean: all
     ${{ if eq(parameters.use1ESTemplate, true) }}:
       templateContext:
+        sdl:
+          codeql:
+            compiled:
+              enabled: false
+              justificationForDisabling: CodeQL runs against the Windows build and nightly macOS build
         outputParentDirectory: ${{ parameters.xaSourcePath }}/bin
         outputs:
         - output: pipelineArtifact