feat(infra): added codeql workflow file

[sushant-suse]

Related Issue #164

This PR integrates GitHub CodeQL into our CI/CD pipeline to perform automated semantic and security analysis of the Python codebase. While our current Ruff linting catches style and basic logic errors, CodeQL performs deep data-flow analysis to identify potential security vulnerabilities (CWEs) that static linters might miss.

Changes:

• Added CodeQL Workflow: Created .github/workflows/codeql-analysis.yml to scan on pushes to main and all Pull Requests.
• Performance Optimization: Included path filtering to ensure scans only trigger when source code (src/**) or CI configurations change.
• Dependency Integration: Utilizes uv to install the github-action group during analysis, allowing CodeQL to resolve third-party library calls for more accurate results.
• Security Suites: Enabled both security-extended and security-and-quality query suites for comprehensive coverage.

Use Case:

• Automatically detects vulnerabilities like path injection, ReDoS, and tainted data flow before they reach production.
• Centralizes security alerts in the GitHub Security tab for better visibility.
• Ensures the project adheres to modern DevSecOps standards as we scale.

[github-advanced-security]

This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation.

[github-actions]

Coverage Report

For commit ad72bb3

Click to expand Coverage Report

  Name                                           Stmts   Miss Branch BrPart  Cover
  --------------------------------------------------------------------------------
+ src/docbuild/cli/cmd_check/process.py             60      0     22      1  98.8%
+ src/docbuild/utils/pidlock.py                     79      1     14      1  97.8%
+ src/docbuild/cli/cmd_validate/process.py         178      3     52      2  97.8%
+ src/docbuild/config/xml/stitch.py                 48      1     12      1  96.7%
+ src/docbuild/cli/callback.py                      35      0     10      2  95.6%
+ src/docbuild/cli/cmd_metadata/metaprocess.py     167     10     42      7  91.9%
- src/docbuild/cli/cmd_config/__init__.py            9      1      0      0  88.9%
- src/docbuild/cli/cmd_cli.py                       86     11      6      3  84.8%
- src/docbuild/cli/cmd_check/__init__.py            18      5      2      0  65.0%
- src/docbuild/cli/cmd_build/__init__.py            13      5      0      0  61.5%
- src/docbuild/cli/cmd_metadata/__init__.py         27     10      2      0  58.6%
- src/docbuild/cli/cmd_config/environment.py        11      6      2      0  38.5%
  --------------------------------------------------------------------------------
+ TOTAL                                           2744     53    638     17  97.8%
  
  47 files skipped due to complete coverage.

[tomschr]

That looks great! 👍 Thanks Sushant.

🚢 it!