fix(ci): resolve SARIF upload failure by using ConvertToSARIF module

Replace the failing microsoft/psscriptanalyzer-action with direct use of
the ConvertToSARIF module to generate SARIF output. This eliminates the
redundant second PSScriptAnalyzer execution and provides better control
over SARIF generation.

Changes:
- Add az416426.vo.msecnd.net to egress allowlist for module download
- Install ConvertToSARIF module on push events
- Generate SARIF in analysis step using ConvertTo-SARIF
- Remove broken microsoft/psscriptanalyzer-action step
- Upgrade CodeQL action from v3 to v4.31.9

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

Author: thetechgy

.github/workflows/ci.yml

@@ -51,6 +51,7 @@ jobs:
             cdn.powershellgallery.com:443
             onegetcdn.azureedge.net:443
             dc.services.visualstudio.com:443
+            az416426.vo.msecnd.net:443
 
       - name: Checkout repository
         uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
@@ -79,6 +80,13 @@ jobs:
               Select-Object -First 1 |
               Format-List Name, Version, ModuleBase
 
+      - name: Install ConvertToSARIF
+        if: github.event_name == 'push'
+        shell: pwsh
+        run: |
+          Set-PSRepository -Name PSGallery -InstallationPolicy Trusted
+          Install-Module -Name ConvertToSARIF -Scope CurrentUser -Force -AllowClobber
+
       - name: Analyze PowerShell scripts
         shell: pwsh
         run: |
@@ -108,25 +116,33 @@ jobs:
               $results += Invoke-ScriptAnalyzer -Path $p -Recurse -Settings $settingsPath
           }
 
+          # Generate SARIF for GitHub Security tab (push events only)
+          if ('${{ github.event_name }}' -eq 'push') {
+              if ($results) {
+                  $results | ConvertTo-SARIF -FilePath 'results.sarif'
+              } else {
+                  # Create minimal valid SARIF when no issues found
+                  @{
+                      '$schema' = 'https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json'
+                      version = '2.1.0'
+                      runs = @(@{
+                          tool = @{ driver = @{ name = 'PSScriptAnalyzer'; version = '${{ env.PSSA_VERSION }}' } }
+                          results = @()
+                      })
+                  } | ConvertTo-Json -Depth 10 | Set-Content -Path 'results.sarif'
+              }
+          }
+
           if ($results) {
               $results | Format-Table RuleName, Severity, ScriptName, Line, Message -AutoSize
               Write-Host "`nTotal issues: $($results.Count)"
               exit 1
           }
           Write-Host 'No issues found.'
 
-      - name: Run PSScriptAnalyzer for SARIF
-        if: always() && github.event_name == 'push'
-        uses: microsoft/psscriptanalyzer-action@6b2948b1944407914a58661c49941824d149734f # v1.1
-        with:
-          path: .
-          settings: ./PSScriptAnalyzerSettings.psd1
-          output: results.sarif
-          recurse: true
-
       - name: Upload SARIF to Security tab
         if: always() && github.event_name == 'push'
-        uses: github/codeql-action/upload-sarif@c37a8b7cd97e31de3fcbd9d84c401870edeb8d34 # v3
+        uses: github/codeql-action/upload-sarif@5d4e8d1aca955e8d8589aabd499c5cae939e33c7 # v4.31.9
         with:
           sarif_file: results.sarif
           category: psscriptanalyzer