Add CodeQL security scanning workflow

[alexkroman]

Summary

Adds a GitHub Actions workflow to run CodeQL static analysis on the repository, enabling automated security vulnerability detection and code quality scanning.

Changes

• New workflow file (.github/workflows/codeql.yml):
  • Configured to run on pull requests to main, pushes to main, and weekly schedule (Tuesdays at 14:29 UTC)
  • Analyzes three language targets: Python (CLI), Actions (workflows), and JavaScript/TypeScript (init template)
  • Uses build-mode none since all three are interpreted languages
  • Implements least-privilege permissions with security-events write access scoped to the analyze job
  • Pins GitHub Actions to specific commit SHAs for supply-chain security
  • Configures concurrency to cancel superseded PR runs but preserve main branch scans
  • Uploads SARIF results to GitHub's code scanning dashboard

Implementation Details

• The workflow respects the project's security practices by using pinned action versions and minimal permissions
• Weekly scheduled runs ensure new CodeQL queries from GitHub are applied to the default branch between code changes
• Concurrency settings prevent double-scanning PR commits (mirrors the pattern in ci.yml)
• No build step required since Python, Actions, and JavaScript are all interpreted languages

https://claude.ai/code/session_01MVoa4Ctp4Mok7oAR21qArU