fix: add CodeQL workflow with disk space cleanup (#8817)

* fix: add CodeQL workflow with disk space cleanup

* chore: update CodeQL workflow to match GitHub advanced setup

Author: tristandubbeld

.github/codeql/codeql-config.yml

@@ -0,0 +1,55 @@
+name: "CodeQL Config"
+
+# Exclude paths to reduce disk space usage during CodeQL analysis
+# This prevents analyzing unnecessary files that consume disk space
+paths-ignore:
+  # Dependencies - don't analyze third-party code
+  - "**/node_modules"
+  - "**/yarn.lock"
+  - "**/package-lock.json"
+  
+  # Build artifacts - generated code doesn't need analysis
+  - "**/dist"
+  - "**/lib"
+  - "**/compiled"
+  - "**/build"
+  - "**/www"
+  - "**/release"
+  
+  # Test fixtures and snapshots
+  - "**/__mocks__"
+  - "**/__image_snapshots__"
+  - "**/_fixtures"
+  - "**/fixture"
+  - "**/test/**/*.png"
+  - "**/test/**/*.jpg"
+  - "**/test/**/*.svg"
+  - "**/integration-tests/**/*.png"
+  
+  # Example and playground files - not production code
+  - "**/example"
+  - "**/examples"
+  - "**/playground"
+  - "**/website"
+  - "**/docs"
+  
+  # Generated files
+  - "**/*.map"
+  - "**/*.min.js"
+  - "**/*.min.css"
+  
+  # Large standalone packages - exclude website and release directories
+  - "standalone-packages/monaco-editor/website"
+  - "standalone-packages/monaco-editor/release"
+  - "standalone-packages/vscode-editor/release"
+  - "standalone-packages/vscode-textmate/**/*.result"
+  - "standalone-packages/vscode-textmate/**/*.patch"
+  
+  # Static assets
+  - "**/static/fonts"
+  - "**/static/img"
+  - "**/public"
+  
+  # CI/CD files
+  - "**/Dockerfile*"
+  - "**/.circleci"

.github/workflows/codeql.yml

@@ -0,0 +1,83 @@
+name: "CodeQL"
+
+on:
+  push:
+    branches: [ "main" ]
+  pull_request:
+    branches: [ "main" ]
+  schedule:
+    - cron: '0 0 * * 0'
+
+jobs:
+  analyze:
+    name: Analyze (${{ matrix.language }})
+    runs-on: ubuntu-latest
+    permissions:
+      # required for all workflows
+      security-events: write
+      # required to fetch internal or private CodeQL packs
+      packages: read
+      # only required for workflows in private repositories
+      actions: read
+      contents: read
+
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+        - language: javascript-typescript
+          build-mode: none
+
+    steps:
+    - name: Clean up disk space
+      run: |
+        echo "Disk space before cleanup:"
+        df -h
+        echo ""
+        echo "Cleaning up unnecessary files to free disk space..."
+        
+        # Remove large tool directories that aren't needed for JavaScript/TypeScript CodeQL analysis
+        # These tools will be re-downloaded by GitHub Actions if needed for other jobs
+        sudo rm -rf /usr/share/dotnet
+        sudo rm -rf /opt/ghc
+        sudo rm -rf /usr/local/share/boost
+        sudo rm -rf /usr/local/lib/android
+        sudo rm -rf /opt/az
+        
+        # Remove large tool caches (CodeQL will re-download only what it needs)
+        sudo rm -rf "$AGENT_TOOLSDIRECTORY"
+        
+        # Clean up system caches
+        sudo apt-get clean
+        sudo rm -rf /var/lib/apt/lists/*
+        
+        # Remove Docker images if Docker is installed (not needed for CodeQL)
+        docker system prune -af || true
+        
+        # Remove pip cache
+        rm -rf ~/.cache/pip || true
+        
+        # Remove npm cache (will be recreated during checkout if needed)
+        npm cache clean --force || true
+        
+        echo ""
+        echo "Disk space after cleanup:"
+        df -h
+
+    - name: Checkout repository
+      uses: actions/checkout@v4
+
+    # Initializes the CodeQL tools for scanning.
+    - name: Initialize CodeQL
+      uses: github/codeql-action/init@v4
+      with:
+        languages: ${{ matrix.language }}
+        build-mode: ${{ matrix.build-mode }}
+        # Use our custom config file to exclude unnecessary files
+        config-file: ./.github/codeql/codeql-config.yml
+
+    - name: Perform CodeQL Analysis
+      uses: github/codeql-action/analyze@v4
+      with:
+        category: "/language:${{matrix.language}}"
+