CI: upgrade github/codeql-action v3 → v4 before December 2026 deprecation

[leogdion]

Follow-up to PR #298 / branch plans/pr298-fixes. Captured from .claude/ci-failures-pr298.md §4 (workflow deprecation warnings).

Problem

The CodeQL workflow currently pins `github/codeql-action` to `v3`, which GitHub has scheduled for deprecation by December 2026. After the cutoff, all CodeQL jobs across MistKit / MistDemo / BushelCloud / CelestraCloud will start failing.

Fix

Bump every reference of `github/codeql-action/init@v3`, `.../analyze@v3`, `.../upload-sarif@v3` (and any other v3 sub-actions) to `@v4` in:

• `.github/workflows/codeql.yml` (top-level)
• `Examples/MistDemo/.github/workflows/codeql.yml`
• `Examples/BushelCloud/.github/workflows/codeql.yml`
• `Examples/CelestraCloud/.github/workflows/codeql.yml`

Plus any other workflow files that pull in CodeQL (`grep -rn "codeql-action" .github Examples/*/.github`).

Verification

• `gh run list --workflow=codeql.yml --limit 1` still passes after the bump.
• No new deprecation warnings in workflow logs.
• Re-run on a PR to confirm the analyze step completes against v4 with the same severity floor.

Notes

Suggest doing this before end of Q3 2026 to leave a comfortable margin. v4 is a drop-in for our usage (no breaking config changes that affect the way we call it), but verify against GitHub's release notes when the upgrade lands.