ci: add CodeQL advanced setup workflow

[jcardozo-eth]

Summary

• Adds CodeQL security scanning via an Advanced Setup workflow (.github/workflows/codeql.yml)
• Scans all 3 languages: actions, java-kotlin (manual build with Maven), and python
• Runs on push to main, PRs targeting main, weekly schedule (Monday 06:30 UTC), and manual dispatch

Why CodeQL

CodeQL is GitHub's static analysis engine that automatically finds security vulnerabilities and coding errors in source code. For this project it provides:

• Supply chain protection — the generated Java models use jackson-databind for deserialization, which has a history of CVEs. CodeQL detects unsafe deserialization patterns, injection vulnerabilities, and other issues that Dependabot (which only checks dependency versions) would miss.
• CI/CD hardening — the actions scanner catches security misconfigurations in our GitHub Actions workflows, such as injection of untrusted input into run: steps or overly permissive permissions.
• Continuous coverage — the weekly scheduled scan catches newly disclosed vulnerability patterns in existing code, even when no new commits are pushed.
• PR-level feedback — CodeQL annotates pull requests with any new security findings, so issues are caught before they reach main.

Since this is a library published to GitHub Packages and TestPyPI, ensuring the generated models are free of known vulnerability patterns adds a layer of trust for downstream consumers.

Why Advanced Setup (not Default Setup)

CodeQL Default Setup (configured via the GitHub UI) doesn't grant security-events: write to Dependabot PRs. This means CodeQL can't upload SARIF results for the PR branch, so GitHub can't compare them against the main baseline. Every Dependabot PR shows a warning like:

Code scanning cannot determine the alerts introduced by this pull request, because 3 configurations present on refs/heads/main were not found

By switching to an Advanced Setup workflow checked into the repository, we explicitly declare security-events: write at the job level. GitHub trusts this because the workflow file lives on the base branch (main), so even Dependabot PRs get the permission they need to upload results.

What CodeQL covers

Language	Build mode	What it scans
actions	none	GitHub Actions workflow YAML files for security misconfigurations
java-kotlin	manual	Generated Java models from jsonschema2pojo + test code — deserialization patterns, jackson-databind usage, etc.
python	none	Python sources in src/data_archive/ — common security issues in generated Pydantic models

Pre-requisite

Before merging, disable CodeQL Default Setup in repo settings:
Settings > Code security and analysis > Code scanning > CodeQL analysis > switch to "Not configured"

Test plan

• Disable Default Setup in repo settings
• Merge this PR and verify the CodeQL workflow runs successfully (3 matrix jobs)
• Confirm Dependabot PRs (e.g. build(deps): bump com.fasterxml.jackson.core:jackson-databind from 2.21.1 to 2.21.2 #61) no longer show the "configurations not found" warning
• Check the Security tab for CodeQL results across all 3 languages

[jcardozo-eth]

@copilot review — focus on correctness: permissions, build configuration, and trigger logic.

[Copilot]

@jcardozo-eth I've opened a new pull request, #65, to work on those changes. Once the pull request is ready, I'll request review from you.