ci: add CodeQL static analysis

[abhinavagarwal07]

New codeql.yml running CodeQL in manual build mode with the security-extended query suite. Triggers on push/PR to master plus a weekly schedule.

Uses CodeQL Action v4 with full SHA pins. Permissions scoped to contents: read and security-events: write. Runner pinned to ubuntu-24.04 with setup-python for PEP 668 compatibility. Builds only the sshfs target to keep alerts focused on shipped code.

CodeQL provides semantic static analysis beyond what compiler warnings and clang-tidy catch — it models data flow through the program to find injection, buffer overflow, and resource management issues. The security-extended suite balances signal-to-noise for a C codebase of this size. Should be a required PR check once merged.

[github-advanced-security]

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

• The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
• Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
• You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.