ci: add PR trigger for CodeQL scanning (#1911)

Add push and pull_request triggers to catch security vulnerabilities
before they're merged to main, rather than only at release time.

This provides shift-left security - vulnerabilities like path injection
(CWE-22) will now be flagged during PR review instead of being
discovered days later by scheduled scans.

.github/workflows/codeql.yml

@@ -12,6 +12,10 @@
 name: "CodeQL Advanced"
 
 on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
   schedule:
     - cron: '45 5 * * 0'
   workflow_call:  # Called by security-release-gate.yml