chore: switch SAST from semgrep to CodeQL and update Node workflows t…

[Mankurj05]

…o v24

• Replace semgrep workflow with CodeQL static analysis (github/codeql-action) to align with OpenSSF Scorecard recognition requirement (issue Switch SAST workflow from semgrep to codeql #1827)
• Update CI workflows from Node 20 (EOL) to Node 24 (current LTS):
  • coverage.yml: Node 20.x to 24.x
  • release.yml: Node 20 to 24 (all three jobs)
  • cve-scanning.yml: simplify to single Node 24 (removes matrix)
• Add Node engine constraint (>=22) to root package.json per maintainer guidance indicating support floor and future Node 25 capability (issue Deprecate node 20 and change testing matrix to node 22, 24 & 25 #1826)

Closes #1827 #1826

Describe your change

Related Issue

Contributor License Agreement

• I acknowledge that a contributor license agreement is required and that I have one in place or will seek to put one in place ASAP.

Review Checklist

• Issue: If a change was made to the FDC3 Standard, was an issue linked above?
• CHANGELOG: Is a CHANGELOG.md entry included?
• API changes: Does this PR include changes to any of the FDC3 APIs (DesktopAgent, Channel, PrivateChannel, Listener, Bridging)?
  • Docs & Sources: If yes, were both documentation (/docs) and sources updated?
    
    JSDoc comments on interfaces and types should be matched to the main documentation in /docs
  • Conformance tests: If yes, are conformance test definitions (/toolbox/fdc3-conformance) still correct and complete?
    
    Conformance test definitions should cover all required aspects of an FDC3 Desktop Agent implementation, which are usually marked with a MUST keyword, and optional features (SHOULD or MAY) where the format of those features is defined
  • Schemas: If yes, were changes applied to the Bridging and FDC3 for Web protocol schemas?
    
    The Web Connection protocol and Desktop Agent Communication Protocol schemas must be able to support all necessary aspects of the Desktop Agent API, while Bridging must support those aspects necessary for Desktop Agents to communicate with each other
    • If yes, was code generation (npm run build) run and the results checked in?
      
      Generated code will be found at /src/api/BrowserTypes.ts and/or /src/bridging/BridgingTypes.ts
• Context types: Were new Context type schemas created or modified in this PR?
  • Were the field type conventions adhered to?
  • Was the BaseContext schema applied via allOf (as it is in existing types)?
  • Was a title and description provided for all properties defined in the schema?
  • Was at least one example provided?
  • Was code generation (npm run build) run and the results checked in?
    
    Generated code will be found at /src/context/ContextTypes.ts
• Intents: Were new Intents created in this PR?
  • Were the intent name prefixes and other naming conventions & characteristics adhered to?
  • Was the new intent added to the list in the Intents Overview?

[netlify]

✅ Deploy Preview for fdc3 canceled.

Name	Link
🔨 Latest commit	feefd94
🔍 Latest deploy log	https://app.netlify.com/projects/fdc3/deploys/69f27a5e1c4af300080dd909

[linux-foundation-easycla]

The committers listed above are authorized under a signed CLA.

• ✅ login: Mankurj05 / name: Mankurj05 (5ef5c34, feefd94)

[Mankurj05]

This PR only updates CI/SAST workflows and Node engine support metadata; no FDC3 API, schema, context-type, intent, or docs changes.

[Mankurj05]

Rebased onto latest main and fixed a stray release workflow conflict from the rebase. The branch should be clean now.