Introduce Github CodeQL

[skonefal]

No description provided.

[cursor]

PR Summary

Low Risk
Low risk: adds a GitHub Actions CodeQL workflow only; no application/runtime code changes. Main impact is CI time and potential new code scanning alerts or workflow failures if CodeQL setup needs tuning.

Overview
Adds a new GitHub Actions workflow (.github/workflows/codeql.yml) to run CodeQL Advanced scanning on pushes to main and on a weekly cron.

The job analyzes actions and python via a matrix, runs github/codeql-action init/analyze with pinned action SHAs, and includes a stub manual build step that fails if build-mode is switched to manual.

^{Reviewed by Cursor Bugbot for commit 1730437. Configure here.}

[github-actions]

CLA Assistant Lite bot All contributors have signed the CLA ✍️ ✅

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

Bugbot Autofix prepared a fix for the issue found in the latest run.

• ✅ Fixed: Missing pull request trigger
  • Added a pull_request trigger targeting main so CodeQL runs on PRs before merge.

Or push these changes by commenting:

@cursor push 107a218cdf

Preview (107a218cdf)

diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -14,6 +14,8 @@
 on:
   push:
     branches: [ "main" ]
+  pull_request:
+    branches: [ "main" ]
   schedule:
     - cron: '29 7 * * 2'

_{You can send follow-ups to the cloud agent here.}

Comment @cursor review or bugbot run to trigger another review on this PR

^{Reviewed by Cursor Bugbot for commit 1730437. Configure here.}

[skonefal]

I have read the CLA Document and I hereby sign the CLA