ci: add CodeQL analysis

[saagpatel]

What

• Add a CodeQL workflow for the repo's supported language surfaces.
• Run on PRs, pushes to polish/v1.0-improvements, manual dispatch, and a weekly schedule.

Why

• Security Review flagged this repo as missing CodeQL coverage.

How

• Use the official CodeQL action with a minimal matrix: javascript-typescript, python.

Testing

• Not run locally (GitHub Actions workflow-only change).

Performance Impact

• Adds CI runtime only when the workflow is triggered.

Risk / Notes

• Config-only change; Rust code is intentionally not included because CodeQL does not support Rust analysis.

[github-advanced-security]

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

• The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
• Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
• You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 29314a8a0b

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Include the main branch in CodeQL triggers

With these branches filters, GitHub only runs the push workflow for pushes to polish/v1.0-improvements and the PR workflow for PRs targeting that same branch; I checked the repo context and the normal branch is main (for example docs/developer/releases.md pushes releases from main, and the local repo has a main branch). As a result, PRs into main and direct pushes to main get no CodeQL analysis, so the added security coverage is skipped for the primary development/release path unless this branch name is changed or main is included.

Useful? React with 👍 / 👎.