Update CodeQL workflow to v4 and replace deprecated LGTM badges

[hernandez-ajhc]

PR description

The LGTM service has been discontinued, so the old LGTM badges in the README are broken.

This PR does the following:

1. Adds a GitHub CodeQL workflow (updated to Action v4) to analyze the code for security and quality.
2. Replaces the old LGTM badges in the README with a new CodeQL badge.

After merging, the badge will show the status of CodeQL analysis for the repository.

Checklist

• Updated README to replace deprecated LGTM badges
• Added CodeQL workflow (v4)
• UI tests not applicable
• npm tests not applicable

Summary by Sourcery

Add GitHub CodeQL security analysis and update README badges to reflect the new workflow.

New Features:

• Introduce a CodeQL GitHub Actions workflow using the v4 CodeQL action to analyze JavaScript code on pushes, pull requests, and a weekly schedule.

Enhancements:

• Replace deprecated LGTM badges in the README with a CodeQL workflow status badge to surface current analysis results in the project documentation.

CI:

• Add a CodeQL analysis workflow to the CI configuration to run security and quality scans for JavaScript on main and master branches.

[sourcery-ai]

Reviewer's Guide

Adds a new GitHub Actions CodeQL v4 workflow for JavaScript analysis and replaces deprecated LGTM badges in the README with a CodeQL status badge referencing the new workflow.

Flow diagram for CodeQL analyze job steps

flowchart TD
  Trigger[Workflow triggered
  push, pull_request, or schedule]
  AnalyzeJob[Job analyze
  runs-on ubuntu-latest]
  Checkout[Step Checkout repository
  actions/checkout@v4]
  InitCodeQL[Step Initialize CodeQL
  github/codeql-action/init@v4]
  Autobuild[Step Autobuild
  github/codeql-action/autobuild@v4]
  Analyze[Step Perform CodeQL Analysis
  github/codeql-action/analyze@v4]
  Results[Upload security-events
  to code scanning]

  Trigger --> AnalyzeJob
  AnalyzeJob --> Checkout
  Checkout --> InitCodeQL
  InitCodeQL --> Autobuild
  Autobuild --> Analyze
  Analyze --> Results

  subgraph Matrix
    LangJS[language javascript]
  end

  AnalyzeJob --> LangJS

Loading

File-Level Changes

Change	Details	Files
Replace deprecated LGTM badges with a CodeQL workflow status badge in the README.	Remove LGTM total alerts and JavaScript code quality badges from the badges section. Add a CodeQL GitHub Actions workflow badge pointing to the new codeql.yml workflow. Leave surrounding README content unchanged aside from spacing around the badges.	README.md
Introduce a CodeQL v4 GitHub Actions workflow to analyze the JavaScript codebase on key events.	Define a CodeQL workflow triggered on push and pull_request to main and master branches. Add a weekly scheduled CodeQL analysis via cron configuration. Configure an analyze job using ubuntu-latest with appropriate minimal permissions for security-events. Set up a language matrix for JavaScript analysis. Add steps to check out the repo, initialize CodeQL with the selected language, run the autobuild step, and perform the CodeQL analysis using v4 of the CodeQL actions.	.github/workflows/codeql.yml

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[sourcery-ai]

Hey - I've found 1 issue

Prompt for AI Agents

Please address the comments from this code review:

## Individual Comments

### Comment 1
<location> `.github/workflows/codeql.yml:27-28` </location>
<code_context>
+        language: [ 'javascript' ]
+
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v4
+
+    - name: Initialize CodeQL
</code_context>

<issue_to_address>
**🚨 suggestion (security):** Pin actions to a specific commit SHA instead of a floating major tag for better supply-chain security

Floating tags like `@v4` will auto-upgrade to new major versions, which can change behavior without review. For security-sensitive workflows like CodeQL, please pin actions (e.g. `actions/checkout`, `github/codeql-action`) to specific commit SHAs, optionally with a comment noting the version, so updates are explicit and reviewable.

Suggested implementation:

```
    - name: Checkout repository
      # actions/checkout v4.x
      uses: actions/checkout@<COMMIT-SHA-FOR-ACTIONS-CHECKOUT-V4>

```

```
    - name: Initialize CodeQL
      # github/codeql-action/init v4.x
      uses: github/codeql-action/init@<COMMIT-SHA-FOR-CODEQL-ACTION-V4>
      with:
        languages: ${{ matrix.language }}

```

```
    - name: Autobuild
      # github/codeql-action/autobuild v4.x
      uses: github/codeql-action/autobuild@<COMMIT-SHA-FOR-CODEQL-ACTION-V4>

```

```
    - name: Perform CodeQL Analysis
      # github/codeql-action/analyze v4.x
      uses: github/codeql-action/analyze@<COMMIT-SHA-FOR-CODEQL-ACTION-V4>

```

1. Replace `<COMMIT-SHA-FOR-ACTIONS-CHECKOUT-V4>` with the actual commit SHA for the desired `actions/checkout` v4 release (from https://github.com/actions/checkout/tags or the GitHub Marketplace).
2. Replace `<COMMIT-SHA-FOR-CODEQL-ACTION-V4>` with the actual commit SHA for the desired `github/codeql-action` v4 release (from https://github.com/github/codeql-action/tags). The same SHA is typically used for `init`, `autobuild`, and `analyze`.
3. Optionally, refine the comments to specify the exact version (e.g. `v4.2.2`) corresponding to the chosen SHAs for clearer auditing.
</issue_to_address>

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[sourcery-ai]

🚨 suggestion (security): Pin actions to a specific commit SHA instead of a floating major tag for better supply-chain security

Floating tags like @v4 will auto-upgrade to new major versions, which can change behavior without review. For security-sensitive workflows like CodeQL, please pin actions (e.g. actions/checkout, github/codeql-action) to specific commit SHAs, optionally with a comment noting the version, so updates are explicit and reviewable.

Suggested implementation:

    - name: Checkout repository
      # actions/checkout v4.x
      uses: actions/checkout@<COMMIT-SHA-FOR-ACTIONS-CHECKOUT-V4>

    - name: Initialize CodeQL
      # github/codeql-action/init v4.x
      uses: github/codeql-action/init@<COMMIT-SHA-FOR-CODEQL-ACTION-V4>
      with:
        languages: ${{ matrix.language }}

    - name: Autobuild
      # github/codeql-action/autobuild v4.x
      uses: github/codeql-action/autobuild@<COMMIT-SHA-FOR-CODEQL-ACTION-V4>

    - name: Perform CodeQL Analysis
      # github/codeql-action/analyze v4.x
      uses: github/codeql-action/analyze@<COMMIT-SHA-FOR-CODEQL-ACTION-V4>

1. Replace <COMMIT-SHA-FOR-ACTIONS-CHECKOUT-V4> with the actual commit SHA for the desired actions/checkout v4 release (from https://github.com/actions/checkout/tags or the GitHub Marketplace).
2. Replace <COMMIT-SHA-FOR-CODEQL-ACTION-V4> with the actual commit SHA for the desired github/codeql-action v4 release (from https://github.com/github/codeql-action/tags). The same SHA is typically used for init, autobuild, and analyze.
3. Optionally, refine the comments to specify the exact version (e.g. v4.2.2) corresponding to the chosen SHAs for clearer auditing.