Update CodeQL workflow to simplify language support

[felickz]

Removed support for several programming languages in CodeQL workflow and added a custom config for paths.

Scanning the dist folder is not productive:

[github-actions]

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

OpenSSF Scorecard

Package	Version	Score	Details
actions/actions/checkout	4.*.*	🟢 6.4	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed Maintained 🟢 5 7 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 5 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Binary-Artifacts 🟢 10 no binaries found in the repo CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Packaging ⚠️ -1 packaging workflow not detected Pinned-Dependencies 🟢 3 dependency not pinned by hash detected -- score normalized to 3 Signed-Releases ⚠️ -1 no releases found Security-Policy 🟢 9 security policy file detected Branch-Protection 🟢 6 branch protection is not maximal on development and all release branches Vulnerabilities 🟢 7 3 existing vulnerabilities detected SAST 🟢 8 SAST tool detected but not run on all commits
actions/github/codeql-action/analyze	4.*.*	Unknown	Unknown
actions/github/codeql-action/init	4.*.*	Unknown	Unknown

Scanned Files

• .github/workflows/codeql.yml

[Copilot]

Pull request overview

This PR updates the CodeQL workflow to focus on relevant code analysis by configuring language support and scan paths. The workflow now specifically analyzes GitHub Actions and JavaScript/TypeScript code while excluding the dist folder from scans to avoid unproductive analysis of generated/compiled code.

Changes:

• Limited language scanning to actions and javascript-typescript only
• Added custom configuration to restrict scans to the src directory
• Excluded dist and tests folders from analysis

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The comment indicates that both /dist and /tests should be ignored, but the configuration only excludes these directories by scanning the src directory. If the intention is to also exclude tests from scanning, this should be explicitly documented that the src path implicitly excludes them, or the comment should be updated to reflect the actual configuration approach.

Suggested change

	# Ignore /dist /tests
	# Limit analysis to the src directory (other top-level folders such as dist/tests are not scanned)