We want to limit when the CodeQL workflows run, as they seemed to be running on every push to any branch. This was clogging up our workflows.

We'll need to make a configuration file to re-enable CodeQL only on PRs to main and maybe pushes to main.