GUARD-2071: Update CodeQL runner to use public labeled runner

- Changed runner from ubuntu-latest to ubuntu-24.04-2cores-tools-public
- Removed GitHub App token workaround (no longer needed)
- Removed manual SARIF upload steps (no longer needed)
- Now using standard CodeQL action upload mechanism

The new labeled runner has allowlisted IPs that can interact with
the Skyscanner GitHub org, eliminating the need for the previous
workaround that used a GitHub App to upload SARIF results.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

Author: UjjwalSaini19

.github/workflows/codeql.yml

@@ -11,7 +11,7 @@ on:
 jobs:
   analyze:
     name: Analyze
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04-2cores-tools-public
     permissions:
       actions: read
       contents: read
@@ -28,55 +28,16 @@ jobs:
         with:
           persist-credentials: false
 
-      - uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1
-        id: app-token
-        with:
-          app-id: ${{ vars.GH_APP_ID }}
-          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
-
       - name: Initialize CodeQL
         uses: github/codeql-action/init@cdefb33c0f6224e58673d9004f47f7cb3e328b89 # v4.31.10
         with:
           languages: ${{ matrix.language }}
           queries: +security-and-quality
-          token: ${{ steps.app-token.outputs.token }}
 
       - name: Autobuild
         uses: github/codeql-action/autobuild@cdefb33c0f6224e58673d9004f47f7cb3e328b89 # v4.31.10
-        with:
-          token: ${{ steps.app-token.outputs.token }}
 
       - name: Perform CodeQL Analysis
         uses: github/codeql-action/analyze@cdefb33c0f6224e58673d9004f47f7cb3e328b89 # v4.31.10
         with:
           category: "/language:${{ matrix.language }}"
-          token: ${{ steps.app-token.outputs.token }}
-          upload: never
-
-      # Workaround for parallel GitHub bugs
-      # * Can't use GHA token with IP allowlisting
-      #   https://docs.github.com/en/enterprise-cloud@latest/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-allowed-ip-addresses-for-your-organization#using-github-actions-with-an-ip-allow-list
-      # * Can't use codeql-action/analyze with custom token
-      #   https://support.github.com/ticket/enterprise/3427/3214517
-      - name: Prepare for CodeQL Upload
-        run: |
-          echo "{\"commit_sha\": \"${{ github.sha }}\", \"ref\": \"${GITHUB_REF}\"}" > ./codeql-upload.json
-
-      - name: Gzip CodeQL SARIF Result
-        run: |
-          gzip -c ../results/${{ matrix.language }}.sarif | base64 -w0 > codeql-results.sarif.gz.base64
-    
-      - name: Staple SARIF result to CodeQL upload
-        run: |
-          jq --rawfile sarif codeql-results.sarif.gz.base64 '.sarif = $sarif' codeql-upload.json > codeql-upload-with-sarif.json
-
-      - name: Upload CodeQL Results
-        run: |
-          curl --fail-with-body \
-            -X POST \
-            -H "Authorization: token ${STEPS_APP_TOKEN_OUTPUTS_TOKEN}" \
-            -H "Accept: application/vnd.github.v3+json" \
-            --data "@codeql-upload-with-sarif.json" \
-            https://api.github.com/repos/${{ github.repository }}/code-scanning/sarifs
-        env:
-          STEPS_APP_TOKEN_OUTPUTS_TOKEN: ${{ steps.app-token.outputs.token }}