- ci.yml: only run on Go/frontend source and lockfiles.
- codeql.yml: scope push/PR triggers to Go and JS/TS sources;
weekly cron still does a full scan.
- release.yml: add matching paths allowlist to pull_request so
doc/workflow-only PRs don't kick off the multi-arch build.
Skips workflow runs on changes to docs, translations, GitHub
configs, and unrelated scripts.
In the CodeQL workflow, add Node.js setup and a frontend build step for the Go matrix so vite emits web/dist before CodeQL's Go autobuild (the Go binary uses //go:embed all:dist and web/dist is .gitignored). In the release workflow, remove the separate Go analyze job (gofmt, go vet, staticcheck, tests) and drop its dependency from build jobs to simplify the release pipeline.
Introduce a CodeQL analysis workflow (CodeQL Advanced) that runs on push, pull_request, and a weekly schedule. It initializes and runs github/codeql-action for a matrix of languages (actions, go, javascript-typescript), configures build-mode per-language, sets minimal read/write permissions for security-events, packages, actions and contents, and selects macOS for Swift or Ubuntu otherwise.
