chore(ci): switch CodeQL from default to advanced setup

.github/codeql/codeql-config.yml

@@ -0,0 +1,14 @@
+name: dmarcheck CodeQL config
+
+# Exclude test files from CodeQL analysis.
+#
+# Why: tests use String.includes() on warning-message strings as assertions
+# (e.g. expect(v.message.includes("example.com")).toBe(true)). The
+# js/incomplete-url-substring-sanitization rule fires on these as if they were
+# URL sanitization gates, but they have no URL flow, no fetch, and no auth
+# boundary — the .includes() runs on the asserted output, not user input.
+# Tests are not shipped to the Worker runtime, so the security blast radius
+# of excluding them is zero.
+paths-ignore:
+  - test/**
+  - "**/*.test.ts"

.github/workflows/codeql.yml

@@ -0,0 +1,42 @@
+name: CodeQL
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+  schedule:
+    # Weekly full scan, Monday 12:23 UTC. Keeps coverage for branches that
+    # aren't being actively PR'd.
+    - cron: "23 12 * * 1"
+
+permissions:
+  contents: read
+
+jobs:
+  analyze:
+    name: Analyze (${{ matrix.language }})
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+      packages: read
+      actions: read
+      contents: read
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - language: actions
+            build-mode: none
+          - language: javascript-typescript
+            build-mode: none
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: github/codeql-action/init@03e4368ac7daa2bd82b3e85262f3bf87ee112f57 # v3.36.0
+        with:
+          languages: ${{ matrix.language }}
+          build-mode: ${{ matrix.build-mode }}
+          config-file: ./.github/codeql/codeql-config.yml
+      - uses: github/codeql-action/analyze@03e4368ac7daa2bd82b3e85262f3bf87ee112f57 # v3.36.0
+        with:
+          category: "/language:${{ matrix.language }}"