Add CodeQL analysis workflow with correct job-level security permissions

[Copilot]

This PR adds a CodeQL analysis workflow to ensure comprehensive security scanning of the Go codebase while following GitHub's recommended security permission patterns.

Changes Made

• Added .github/workflows/codeql.yml: New CodeQL analysis workflow that:
  • Uses github/codeql-action/analyze for comprehensive code scanning
  • Defines security-events: write permission at the job level (not root level)
  • Uses minimal root-level permissions (contents: read only)
  • Configured for Go language analysis with autobuild
  • Scheduled to run weekly and on push/PR to main branch

Security Compliance

✅ Job-level permissions: security-events: write is defined at the job level (lines 19-25), not at the root level
✅ Minimal root permissions: Only contents: read at root level (line 12)
✅ Pinned action versions: Uses same versions as existing workflows for consistency
✅ Best practices: Follows GitHub's recommended CodeQL workflow patterns

Verification

The existing OSSF Scorecard workflow was already compliant with the permission requirements. This new workflow ensures that any CodeQL analysis jobs in the repository follow the same secure permission model.

# Correct pattern used:
jobs:
  analyze:
    permissions:
      security-events: write  # ✅ Job level
      actions: read
      contents: read

Fixes #31.

---

💬 Share your feedback on Copilot coding agent for the chance to win a $200 gift card! Click here to start the survey.