ci: enable CodeQL code scanning #7
Description
CodeQL code scanning requires GitHub Advanced Security (GHAS) for private repositories. The scan itself works but results can't be uploaded without GHAS enabled.
Blocked on: GHAS subscription or making the repo public.
When unblocked:
- Add
.github/workflows/codeql.ymlwith Python language scanning - Run on PRs to main + weekly schedule
- Permissions needed:
security-events: write,contents: read,actions: read