ci: add CodeQL Advanced security scanning workflow

Adds security scanning via GitHub CodeQL to detect vulnerabilities
in JavaScript/TypeScript source and GitHub Actions workflows.

- Analyzes javascript-typescript and actions with build-mode: none
- Uses security-extended query suite for comprehensive coverage
- SHA-pinned actions following existing repo conventions
- Daily scheduled run at 23:28 UTC plus push/PR triggers
- paths-ignore on PRs to skip markdown-only changes
- Updated docs/07-github-automation.md

Closes #386

Signed-off-by: cheese-cakee <farzanaman99@gmail.com>

Author: cheese-cakee

.github/workflows/codeql.yml

@@ -0,0 +1,60 @@
+# SPDX-License-Identifier: Apache-2.0
+
+name: "CodeQL Advanced"
+
+on:
+  push:
+    branches: ["main"]
+  pull_request:
+    branches: ["main"]
+    paths-ignore:
+      - "**/*.md"
+  schedule:
+    - cron: "28 23 * * *"
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+permissions:
+  contents: read
+
+jobs:
+  analyze:
+    name: Analyze (${{ matrix.language }})
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      security-events: write
+      packages: read
+
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - language: actions
+            build-mode: none
+          - language: javascript-typescript
+            build-mode: none
+
+    steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@58077d3c7e43986b6b15fba718e8ea69e387dfcc # v2.15.1
+        with:
+          egress-policy: audit
+
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@c10b8064de6f491fea524254123dbe5e09572f13 # v4.3.5
+        with:
+          languages: ${{ matrix.language }}
+          build-mode: ${{ matrix.build-mode }}
+          queries: security-extended
+          dependency-caching: true
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@c10b8064de6f491fea524254123dbe5e09572f13 # v4.3.5
+        with:
+          category: "/language:${{ matrix.language }}"

docs/07-github-automation.md

@@ -9,6 +9,7 @@ The repo currently includes:
 
 - `.github/workflows/ci.yml`
 - `.github/workflows/pr-formatting.yaml`
+- `.github/workflows/codeql.yml`
 
 ## CI Workflow
 
@@ -53,6 +54,29 @@ The workflow does not currently run:
 
 This workflow checks the pull request title against conventional commit style.
 
+## CodeQL Workflow
+
+`codeql.yml` runs security analysis via GitHub's CodeQL scanning. It triggers on:
+
+- pushes to `main`
+- pull requests targeting `main` (ignoring `.md` file-only changes)
+- a daily schedule at 23:28 UTC
+
+### Languages Analyzed
+
+The workflow uses a matrix strategy to analyze two languages in parallel:
+
+- **GitHub Actions** (`actions`) — analyzes the repository's own Actions workflow files
+- **JavaScript/TypeScript** (`javascript-typescript`) — analyzes the website's source code
+
+Both use `build-mode: none` since JavaScript/TypeScript and Actions are interpreted languages
+that do not require compilation.
+
+### Security Queries
+
+The workflow uses the `security-extended` query suite for comprehensive security coverage,
+including CWE classifications and security hardening recommendations.
+
 ## What Contributors Should Expect
 
 Before asking for review, contributors should expect GitHub to reject:
@@ -61,6 +85,7 @@ Before asking for review, contributors should expect GitHub to reject:
 - source changes that are not formatted
 - lint-breaking changes
 - changes that break the production build
+- changes that introduce security vulnerabilities (detected by CodeQL)
 
 ## Recommended Habit