Introduce Github CodeQL

[skonefal]

No description provided.

[cursor]

PR Summary

Low Risk
Low risk because it only adds a GitHub Actions workflow; the main impact is CI runtime/permissions and potential new code-scanning alerts.

Overview
Adds a new .github/workflows/codeql.yml workflow to run CodeQL Advanced scanning on pushes to main and on a weekly schedule.

The job analyzes actions and python via a matrix, uses pinned actions/checkout and github/codeql-action versions, and includes the standard (disabled unless needed) manual-build step plus required security-events write permissions.

^{Reviewed by Cursor Bugbot for commit 581d6cd. Configure here.}

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

Bugbot Autofix prepared a fix for the issue found in the latest run.

• ✅ Fixed: CodeQL skips pull requests
  • Added a pull_request trigger for main so CodeQL runs on PRs before merge.

Or push these changes by commenting:

@cursor push 6208a095a6

Preview (6208a095a6)

diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -14,6 +14,8 @@
 on:
   push:
     branches: [ "main" ]
+  pull_request:
+    branches: [ "main" ]
   schedule:
     - cron: '17 6 * * 0'

_{You can send follow-ups to the cloud agent here.}

Comment @cursor review or bugbot run to trigger another review on this PR

^{Reviewed by Cursor Bugbot for commit 581d6cd. Configure here.}

[bh2smith]

Seems legit!