Fix CodeQL code scanning workflow (pack resolution and triggers)

[danbaruka]

Summary

Resolves GitHub Code scanning configuration errors caused by an incompatible third-party CodeQL pack, and makes CodeQL run when relevant repo metadata changes—not only when *.go files change.

Problem

• The workflow pulled crypto-com/cosmos-sdk-codeql, which depends on codeql/go-all: 0.3.6. That pin is far behind the codeql/go-all version bundled with current GitHub Code Scanning, so pack resolution fails and the Security tab shows configuration errors.
• The workflow only triggered on **.go, so updates to go.mod, Makefile, or the CodeQL workflow itself did not re-run analysis—leading to stale “last scanned” messaging.

Changes

• Remove packs: +crypto-com/cosmos-sdk-codeql from the CodeQL init step.
• Expand paths filters on pull_request and push to include go.mod, go.sum, Makefile, .github/workflows/codeql.yml, and .github/codeql/**.
• Add workflow_dispatch so maintainers can run CodeQL manually from the Actions tab.
• Upgrade github/codeql-action/init and analyze from v3 → v4.

What stays the same

• Language: Go
• Config file: .github/codeql/codeql-config.yml
• Queries: security-and-quality plus the same experimental Go queries from github/codeql (DeferInLoop, WrongUsageOfUnsafe, DivideByZero).

Follow-ups (optional)

• If Cosmos-specific queries are still desired, they need a maintained pack (or a fork) with codeql/go-all compatible with today’s CodeQL—not the unmaintained crypto-com pack as-is.
• After merge, confirm Security → Code scanning shows a successful run; use Actions → CodeQL → Run workflow if you want an immediate refresh.