ci(codeql): enable for github actions

[ReenigneArcher]

Description

Add "actions" for CodeQL scanning.

Note: CodeQL flagged every workflow for not having "permissions" set explicitly. Hopefully none of the workflows break with what I have set, but might have a few surprises after the PRs are created in each repo.

Screenshot

Issues Fixed or Closed

• Resolves .github: scan GitHub actions with CodeQL roadmap#64

Type of Change

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• Dependency update (updates to dependencies)
• Documentation update (changes to documentation)
• Repository update (changes to repository files, e.g. .github/...)

Checklist

• My code follows the style guidelines of this project
• I have performed a self-review of my own code
• I have commented my code, particularly in hard-to-understand areas
• I have added or updated the in code docstring/documentation-blocks for new or existing methods/components

[github-advanced-security]

This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[Copilot]

Pull Request Overview

This PR updates multiple GitHub Actions workflow files to explicitly set permissions and expand event-type configurations, in order to comply with CodeQL scanning requirements and recent best practices.

• Explicitly set permissions (e.g. contents: read or empty permissions) in all workflow files
• Expand inline arrays for event types (release, issues, etc.)
• Refactor conditional expressions and rename some job steps to improve clarity

Reviewed Changes

Copilot reviewed 13 out of 13 changed files in this pull request and generated no comments.

Show a summary per file

File	Description
.github/workflows/update-docs.yml	Added explicit permissions and expanded release event types
.github/workflows/update-changelog.yml	Added permissions, updated event types, and renamed job for clarity
.github/workflows/social-post.yml	Adjusted conditional expressions in if clauses
.github/workflows/renovate-config-validator.yml	Updated branch and types syntax with explicit permissions
.github/workflows/release-notifier.yml	Added permissions and refined conditional expressions
.github/workflows/patch_missing_releases.yml	Added permissions configuration
.github/workflows/issues.yml	Added explicit permissions and expanded issue event types
.github/workflows/issues-stale.yml	Added permissions, updated job naming, and refined conditions
.github/workflows/global-replicator.yml	Added permissions and adjusted branch filtering
.github/workflows/common-lint.yml	Added explicit permissions and simplified a log step
.github/workflows/codeql.yml	Added permissions, refined branch filters, and updated matrix generation
.github/workflows/cla-gist-replicator.yml	Added permissions and adjusted branch filtering
.github/workflows/ci-docker.yml	Added permissions, refined trigger conditions, and updated job structure

Comments suppressed due to low confidence (1)

.github/workflows/ci-docker.yml:130

• [nitpick] Consider adding a separator between 'Docker' and the tag value (e.g. 'Docker - ${{ matrix.tag }}') for improved readability.

name: Docker${{ matrix.tag }}