ci: add CodeQL or equivalent security scanning workflow

[ericksoa]

Summary

Add automated security scanning to the CI pipeline. CodeQL (or equivalent) should run on PRs and on a weekly schedule to catch common vulnerability patterns in JavaScript and Python.

Identified during review of #390.

[albertrial]

Hi @cv, are you currently working on this or planning to? I have a basic CodeQL workflow ready, in case you have not yet started working on this or if you have moved on from it. Thanks!

[cv]

@albertrial we're planning to do a big move to TypeScript with #924, then throw as many scanners and linters and tooling at it as we can get our hands on. Please hold! :)