Add CodeQL security scanning (#99411)

* Add CodeQL security scanning

* Limit codeQL languages to Javascript only

Linguist detects a very small amount of additional language code, but given that JS/TS is the majority, I don't think we need to worry about complicating things further.