Enable codeql scanning

[bioball]

This enables security vulnerability scanning using CodeQL.

[StefMa]

Isn't it better/easier to go with a matrix build instead of multiple jobs? 🤔 🤷‍♂️
It's the same outout, so it actually doesn't matter. Just my initial thought about it 😂

[bioball]

Matrices feel like a poor man's for loop that we can express much more easily with Pkl. And, you get actual Pkl dot access this way, rather than a stringy typed value ("${{ matrix.language }}" vs. scan.language). I think this ends up as basically the same thing? Each turns into its own job execution regardless.

[HT154]

Is there a reason not to run this on push or PR? Having this able to block PRs would be very handy. I'd be interested in adding at least one custom query to block a problem pattern in CliCommand.

[bioball]

I was concerned about how long these things take to run. But, we can play around with it and see what happens!

[HT154]

Analysis for java-kotlin finished within a minute of the gradle-check job, so I think this would probably be okay to enable on PRs. A <1m delay in exchange for better security enforcement on PRs seems okay to me.

[bioball]

Added PRs

[github-advanced-security]

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

• The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
• Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
• You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.