ci: add CodeQL analysis

[saagpatel]

What

• Adds a CodeQL workflow for JavaScript and TypeScript analysis.
• Runs on pull requests, pushes to the default branch, manual dispatch, and a weekly schedule.

Why

• Security Review flagged this repo as missing code scanning coverage.

How

• Uses GitHub's CodeQL action with least-privilege workflow permissions.

Testing

• GitHub PR checks.

Performance Impact

• None expected outside CI runtime.

Risk / Notes

• Config-only change. If CodeQL surfaces findings after merge, handle them in a follow-up PR.

[github-advanced-security]

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

• The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
• Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
• You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 60359a8995

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Point CodeQL triggers at the default branch

The workflow is being added on top of main, but both event filters target feat/phase-3-polish-sharing-deployment. Since pull_request.branches matches the base branch and push.branches matches the pushed branch, PRs targeting main and pushes to main will not run CodeQL; only manual dispatch and the weekly scheduled scan remain. This leaves the intended per-PR/default-branch code scanning coverage absent unless contributors open PRs against that feature branch.

Useful? React with 👍 / 👎.