chore(ci): update CodeQL workflow MONGOSH-1994

[nirinchev]

Cleans up the CodeQL workflow and updates actions to latest

[github-advanced-security]

This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation.

[addaleax]

Fyi, the create_static_analysis_report failure is real, pointing at https://github.com/mongodb-js/mongosh/security/code-scanning/58 – I'm guessing we're fine with dismissing that, feel free to do that, but I'm just making sure we're not merging with a red CI

[nirinchev]

Yes, those are legitimate antipatterns. I would lean slightly toward dismissing the alerts as I feel an attacker who's been able to compromise the devtools-shared repo and push a malicious version of the setup-bot-token action would already be in a position to do whatever they want with our other repos, so pinning the action to a commit sha would be slightly more annoying for no obvious benefit.

[nirinchev]

@addaleax fixed/dismissed the issues flagged by codeql, so this should be mergeable.