Add CodeQL workflow with manual c-cpp build

[jensens]

The default CodeQL setup's c-cpp autobuild fails because the runner's setuptools is too old for the PEP 639 license format (license = "ZPL-2.1") in pyproject.toml.

Adds a custom workflow with manual build mode for c-cpp that upgrades setuptools before building. Uses codeql-action v4 (v3 is deprecated Dec 2026).

⚠️ Important: A repo admin must disable the default CodeQL setup in Settings > Code security before merging this PR, otherwise the two configurations conflict ("CodeQL analyses from advanced configurations cannot be processed when the default setup is enabled").

Fixes #354

[icemac]

@jensens Do you see a chance to fix the underlying problem?

[jensens]

@jensens Do you see a chance to fix the underlying problem?

The automatic/default setting under the Settings Tab does not support pyproject.toml - in specific the new way to declare metadata. So, in fact by replicating the feature in a custom file is the fix of the underlying problem. Unless GitHub upgraded its defaults. With the file it does exactly the same as before, but using newer versions.

[jensens]

Btw., more information here https://docs.github.com/en/code-security/how-tos/scan-code-for-vulnerabilities/manage-your-configuration/editing-your-configuration-of-default-setup#replacing-default-setup-with-advanced-setup