chore: switch SAST from semgrep to CodeQL and update Node workflows to v24

- Replace semgrep workflow with CodeQL static analysis (github/codeql-action)
  to align with OpenSSF Scorecard recognition requirement (issue #1827)
- Update CI workflows from Node 20 (EOL) to Node 24 (current LTS):
  - coverage.yml: Node 20.x to 24.x
  - release.yml: Node 20 to 24 (all three jobs)
  - cve-scanning.yml: simplify to single Node 24 (removes matrix)
- Add Node engine constraint (>=22) to root package.json per maintainer guidance
  indicating support floor and future Node 25 capability (issue #1826)

Closes #1827 #1826

Author: Mankurj05

.github/workflows/codeql.yml

@@ -0,0 +1,39 @@
+name: Static code analysis
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    types: [opened, reopened, synchronize, ready_for_review]
+  schedule:
+    # Run every day at 5am and 5pm
+    - cron: '0 5,17 * * *'
+
+permissions: read-all
+
+jobs:
+  analyze:
+    name: CodeQL analysis
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+
+    strategy:
+      fail-fast: false
+      matrix:
+        language: [javascript-typescript]
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@dd746615b3b9d728a6a37ca2045b68ca76d4841a # v3.28.8
+        with:
+          languages: ${{ matrix.language }}
+
+      - name: Autobuild
+        uses: github/codeql-action/autobuild@dd746615b3b9d728a6a37ca2045b68ca76d4841a # v3.28.8
+
+      - name: Analyze
+        uses: github/codeql-action/analyze@dd746615b3b9d728a6a37ca2045b68ca76d4841a # v3.28.8

.github/workflows/coverage.yml

@@ -28,7 +28,7 @@ jobs:
     - name: Set up Node.js
       uses: actions/setup-node@v6
       with:
-        node-version: 20.x
+        node-version: 24.x
 
     - name: Install dependencies
       run: npm ci

.github/workflows/cve-scanning.yml

@@ -25,15 +25,12 @@ permissions:
 jobs:
   build:
     runs-on: ubuntu-latest
-    strategy:
-      matrix:
-        node-version: [20]
     steps:
       - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
-      - name: Use Node.js ${{ matrix.node-version }}
+      - name: Use Node.js 24
         uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2
         with:
-          node-version: ${{ matrix.node-version }}
+          node-version: 24
 
       - run: npm install
 

.github/workflows/release.yml

@@ -24,7 +24,7 @@ jobs:
       - name: Configure Node
         uses: actions/setup-node@v4
         with:
-          node-version: 22
+          node-version: 24
 
       - name: Install dependencies
         run: npm ci
@@ -105,11 +105,11 @@ jobs:
       - name: Configure Node for npmjs.org
         uses: actions/setup-node@v4
         with:
+<<<<<<< HEAD
           node-version: 22
-          registry-url: https://registry.npmjs.org
-          always-auth: true
-
-      - name: Publish tarballs to npmjs.org (with provenance and dist-tag)
+=======
+          node-version: 24
+          node-version: 24
         env:
           NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}   # npm automation token
           PUBLISH_TAG: ${{ needs.build_and_pack.outputs.publish_tag }}
@@ -136,9 +136,10 @@ jobs:
       - name: Configure Node for GitHub Packages
         uses: actions/setup-node@v4
         with:
+<<<<<<< HEAD
           node-version: 22
-          registry-url: https://npm.pkg.github.com
-          scope: '@finos'
+=======
+          node-version: 24
           always-auth: true
 
       - name: Publish tarballs to GitHub Packages (with dist-tag)

.github/workflows/semgrep.yml

@@ -11,6 +11,9 @@
     "tag": "latest"
   },
   "license": "Apache-2.0",
+  "engines": {
+    "node": ">=22"
+  },
   "main": "dist/index.js",
   "typings": "dist/index.d.ts",
   "module": "dist/fdc3.esm.js",