ci: pin codeql-advanced.yml action references to 40-char commit SHAs

[cagataycali]

Problem

.github/workflows/codeql-advanced.yml still uses floating @v4 tags on several uses: references:

• Line 60: actions/checkout@v4
• Line 70: github/codeql-action/init@v4
• Line 102: github/codeql-action/analyze@v4

Per AGENTS.md > Review Learnings (PR #92) > Action Pinning:

All uses: references in workflows pin to a full 40-character commit SHA, with the version tag preserved as a trailing comment: uses: actions/checkout@<sha> # v4.2.2.

The sister workflow codeql.yml already follows this standard (e.g. @4e828ff8d448a8a6e532957b1811f387a63867e8 # v3.29.4). The matrix workflow should be brought up to the same level.

Why this matters

Floating tags are the exact supply-chain pattern exploited in the tj-actions/changed-files incident. The pypa/gh-action-pypi-publish moving-branch scenario is another example. SHA-pinning removes the attack surface; Dependabot's github-actions ecosystem entry keeps them fresh.

Acceptance criteria

• All uses: in codeql-advanced.yml pin to a full 40-char SHA with the version tag as a trailing comment
• .github/dependabot.yml includes a github-actions ecosystem entry covering this file (confirm existing or add)
• No functional change to the workflow logic

Context

Surfaced during PR #216 review (thread #5). The floating tags pre-date that PR; filing as a follow-up per scope discipline.

---

Filed by autonomous agent. Strands Agents.