Update CodeQL Action v3 → v4 and fix SARIF upload failure

[Copilot]

The Codacy security scan workflow was using the deprecated codeql-action/upload-sarif@v3 and failing with Invalid request. 1 item required; only 0 were supplied when CODACY_PROJECT_TOKEN is unavailable (e.g., fork PRs), causing an empty SARIF file with zero runs to be rejected by the GitHub API.

Changes

• codeql-action/upload-sarif v3 → v4 — v3 is deprecated and will stop working December 2026
• continue-on-error: true on upload step — prevents hard failure when Codacy produces an empty SARIF due to missing token; upload still runs and succeeds when the token is present

---

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

[codacy-production]

Coverage summary from Codacy

See diff coverage on Codacy

Coverage variation	Diff coverage
✅ +0.00% (target: -1.00%)	✅ ∅

Coverage variation details

	Coverable lines	Covered lines	Coverage
Common ancestor commit (be7c224)	213	207	97.18%
Head commit (7007447)	213 (+0)	207 (+0)	97.18% (+0.00%)

Coverage variation is the difference between the coverage for the head and common ancestor commits of the pull request branch: <coverage of head commit> - <coverage of common ancestor commit>

Diff coverage details

	Coverable lines	Covered lines	Diff coverage
Pull request (#61)	0	0	∅ (not applicable)

Diff coverage is the percentage of lines that are covered by tests out of the coverable lines that the pull request added or modified: <covered lines added or modified>/<coverable lines added or modified> * 100%

See your quality gate settings    Change summary preferences

[codacy-production]

Coverage summary from Codacy

See diff coverage on Codacy

Coverage variation	Diff coverage
✅ +0.00% (target: -1.00%)	✅ ∅

Coverage variation details

	Coverable lines	Covered lines	Coverage
Common ancestor commit (be7c224)	213	207	97.18%
Head commit (7007447)	213 (+0)	207 (+0)	97.18% (+0.00%)

Coverage variation is the difference between the coverage for the head and common ancestor commits of the pull request branch: <coverage of head commit> - <coverage of common ancestor commit>

Diff coverage details

	Coverable lines	Covered lines	Diff coverage
Pull request (#61)	0	0	∅ (not applicable)

Diff coverage is the percentage of lines that are covered by tests out of the coverable lines that the pull request added or modified: <covered lines added or modified>/<coverable lines added or modified> * 100%

See your quality gate settings    Change summary preferences

[coveralls]

coverage: 97.333%. remained the same
when pulling 7007447 on copilot/update-codeql-action-version
into be7c224 on main.