ci: add CodeQL workflow

[cameri]

Description

Related Issue

Motivation and Context

How Has This Been Tested?

Screenshots (if appropriate):

Types of changes

• Non-functional change (docs, style, minor refactor)
• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to change)

Checklist:

• My code follows the code style of this project.
• My change requires a change to the documentation.
• I have updated the documentation accordingly.
• I have read the CONTRIBUTING document.
• I have added tests to cover my code changes.
• I added a changeset, or this is docs-only and I added an empty changeset.
• All new and existing tests passed.

[github-advanced-security]

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

• The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
• Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
• You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

[Copilot]

Pull request overview

Adds a GitHub Actions workflow to run CodeQL code scanning on pushes/PRs to main and on a weekly schedule, enabling automated security/static analysis for the repo.

Changes:

• Introduces a new .github/workflows/codeql.yml workflow for CodeQL scanning.
• Configures a language matrix for actions and javascript-typescript.
• Runs CodeQL init/analyze steps (with a placeholder manual build step gated on build-mode: manual).

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The matrix.include list items appear mis-indented relative to include: and their nested keys (build-mode). This can make the workflow YAML invalid or parse differently than intended. Re-indent include entries so the - language lines are consistently nested under include: and build-mode aligns as a sibling key within each list item (using standard 2-space YAML indentation).

Suggested change

	- language: actions
	build-mode: none
	- language: javascript-typescript
	build-mode: none
	- language: actions
	build-mode: none
	- language: javascript-typescript
	build-mode: none

[Copilot]

steps: is defined, but the step list entries (- name: ...) are not indented under it. As written, this makes the workflow YAML invalid and GitHub Actions will fail to load the workflow. Indent all step items and their fields so they are nested under steps:.

[coveralls]

coverage: 74.929%. remained the same — ci/add-codeql-workflow into main

[changeset-bot]

⚠️ No Changeset found

Latest commit: 7765b57

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR