ci: ignore vendored JavaScript in CodeQL

[CaseyLabs]

Summary

• Adds an explicit CodeQL advanced setup workflow for Go and JavaScript/TypeScript.
• Adds a CodeQL config file that ignores checked-in third-party browser bundles.
• Skips JavaScript autobuild and only autobuilds Go, since JS/TS CodeQL does not need a build step here.
• Adds a 30-minute job timeout so a future analyzer hang cannot consume a runner indefinitely.

Why

• The current CodeQL run is using GitHub dynamic default setup.
• The JavaScript/TypeScript analyzer gets stuck in Perform CodeQL Analysis.
• The likely cause is CodeQL scanning large vendored browser assets, especially Monaco and xterm bundles under _datafiles/html/.../static.
• These files are third-party generated bundles, so they are low-value for source analysis and better covered by dependency maintenance.

Ignored Paths

• _datafiles/html/admin/static/js/monaco/**
• _datafiles/html/admin/static/js/highlight.js
• _datafiles/html/admin/static/css/monaco-editor.css
• _datafiles/html/public/static/js/xterm/**

TODO: Change GitHub Repo Settings

@Volte6 - After this PR is merged, you will need to switch CodeQL from default setup to advanced setup, so that GitHub uses .github/workflows/codeql.yml instead of the dynamic workflow.

Steps:

• On the GoMud repo, open Settings.
• Open Code security or Advanced Security.
• Find CodeQL analysis.
• If it is using Default setup, choose the menu next to it and select Switch to advanced setup, or disable default setup so the checked-in workflow is used.
• Confirm new CodeQL runs come from .github/workflows/codeql.yml, not dynamic/github-code-scanning/codeql.
• Cancel any old stuck Analyze (javascript-typescript) runs after the switch.