ci(security): upgrade CodeQL actions from v3 to v4

BREAKING CHANGE: CodeQL Action v3 deprecated November 25, 2025

Changes:
- Updated github/codeql-action/init from v3 to v4
- Updated github/codeql-action/analyze from v3 to v4

This addresses the deprecation warning:
"The `v3` tag of github/codeql-action is being deprecated and may
stop working without warning on November 25, 2025."

The v4 release (October 2025) includes:
- Node.js 22 upgrade (from Node.js 20)
- Improved performance for large codebases
- Enhanced Rust language support
- Better security-extended query coverage

Additionally, created missing GitHub labels for Dependabot:
- "dependencies" (blue, #0366d6) - Dependency-related PRs
- "rust" (orange, #dea584) - Rust ecosystem updates
- "github-actions" (yellow, #ffc107) - CI/CD workflow updates

These labels enable Dependabot to properly tag automated PRs
per the dependabot.yml configuration.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

Author: doublegate

.github/workflows/codeql.yml

@@ -56,7 +56,7 @@ jobs:
 
       # Initialize CodeQL tools for scanning
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@v3
+        uses: github/codeql-action/init@v4
         with:
           languages: ${{ matrix.language }}
           # Use security-extended query suite for comprehensive security analysis
@@ -72,7 +72,7 @@ jobs:
 
       # Perform CodeQL Analysis
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@v3
+        uses: github/codeql-action/analyze@v4
         with:
           category: "/language:${{ matrix.language }}"
           # Fail the workflow if high or critical severity issues are found