Add CodeQL analysis workflow

[aymenfurter]

Adds automated CodeQL code scanning for JavaScript/TypeScript.

What this does:

• Scans on push to main, PRs targeting main, and weekly (Mondays at 03:25 UTC)
• Uses minimal permissions (contents: read, security-events: write)
• Results are visible only to repo admins/writers in the Security tab

Why:
Proactive vulnerability detection for the TypeScript codebase.

[github-actions]

⚠️ Deprecation Warning: The deny-licenses option is deprecated for possible removal in the next major release. For more information, see issue 997.

Dependency Review

The following issues were found:

• ✅ 0 vulnerable package(s)
• ✅ 0 package(s) with incompatible licenses
• ✅ 0 package(s) with invalid SPDX license definitions
• ⚠️ 4 package(s) with unknown licenses.

See the Details below.

License Issues

.github/workflows/codeql.yml

Package	Version	License	Issue Type
actions/checkout	6.*.*	Null	Unknown License
github/codeql-action/analyze	3.*.*	Null	Unknown License
github/codeql-action/autobuild	3.*.*	Null	Unknown License
github/codeql-action/init	3.*.*	Null	Unknown License

Denied Licenses:

GPL-3.0, AGPL-3.0

OpenSSF Scorecard

Package	Version	Score	Details
actions/actions/checkout	6.*.*	🟢 5.7	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed Maintained ⚠️ 0 1 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Binary-Artifacts 🟢 10 no binaries found in the repo Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Packaging ⚠️ -1 packaging workflow not detected Pinned-Dependencies 🟢 3 dependency not pinned by hash detected -- score normalized to 3 Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Security-Policy 🟢 9 security policy file detected Branch-Protection 🟢 5 branch protection is not maximal on development and all release branches SAST 🟢 8 SAST tool detected but not run on all commits
actions/github/codeql-action/analyze	3.*.*	Unknown	Unknown
actions/github/codeql-action/autobuild	3.*.*	Unknown	Unknown
actions/github/codeql-action/init	3.*.*	Unknown	Unknown

Scanned Files

• .github/workflows/codeql.yml

[github-advanced-security]

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

• The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
• Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
• You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.