Adds CodeQL static analysis on push to main, pull_request, and weekly
on Wednesday 02:00 UTC (staggered from trace-revalidation Monday cron).
Uses the default security-and-quality query suite. Includes a consumer
note that private repos require GitHub Advanced Security.
