ci(codeql): consolidate codeql.yml + codeql-advanced.yml to remove duplicate Python scans on PR/push

[cagataycali]

Problem

After #234 lands, the two CodeQL workflows are aligned on the same major and same SHA (github/codeql-action v4.36.0), but they still scan overlapping inputs under different query suites on every PR and push to main:

Workflow	Trigger	Languages scanned	Query suite
.github/workflows/codeql.yml	push/pull_request to main	python	security-and-quality
.github/workflows/codeql-advanced.yml	push/pull_request to main + weekly schedule:	python + actions	default

Every PR therefore runs two Python CodeQL analyses. They produce divergent SARIF (different rule sets), waste CI minutes on overlapping findings, and undermine the "one source of truth for CodeQL config" framing.

Reproducer

grep -nE '^(on:|  (push|pull_request|schedule):)' .github/workflows/codeql.yml .github/workflows/codeql-advanced.yml
# Both files trigger on push and pull_request to main.

# After #234 merges:
grep -n 'codeql-action' .github/workflows/codeql*.yml
# Both pin to the same SHA, confirming this is now a configuration overlap, not a version drift.

On any PR touching Python, the Actions tab will show two Analyze (python) jobs from the two workflows, scanning the same source tree under different query suites.

Acceptance criteria

Pick one of the two consolidation strategies below and ship it:

Strategy A: single workflow (preferred)

• Delete .github/workflows/codeql-advanced.yml.
• In .github/workflows/codeql.yml, expand the language matrix to include actions (currently python-only).
• Keep the security-and-quality query suite from codeql.yml.
• Add a schedule: cron stanza so weekly extended scans still run.
• Verify on the PR that Analyze (python) runs once, not twice.

Strategy B: scope codeql-advanced.yml to schedule-only

• In .github/workflows/codeql-advanced.yml, remove the push: and pull_request: triggers; keep only schedule: and workflow_dispatch:.
• Document in a header comment that this workflow is the weekly extended scan and that PR/push scans are owned by codeql.yml.
• Verify on a follow-up PR that only codeql.yml's Analyze (python) runs on PR open.

Either strategy

• No regression in the py/unsafe-cyclic-import suppression behaviour from security(codeql): suppress py/unsafe-cyclic-import on simulation triple (closes #215) #216.
• Add a regression-pin test (parse both workflow files post-change, assert the chosen invariant: either exactly one file under .github/workflows/codeql*.yml, OR codeql-advanced.yml's on: keys are a subset of {schedule, workflow_dispatch}).
• Update PR description with a SARIF rule-set diff against main to confirm the consolidation is a no-op for findings (or document the intended delta).

Why this is a follow-up, not a #234 expansion

#234's objective is SHA-pinning + major-alignment for supply-chain hygiene (closes #217). Consolidating two workflows changes the findings posture of the repository (different query suites scan different things), which is a separate review surface that deserves its own diff and its own SARIF audit. Bundling it into #234 would mix supply-chain hygiene with security-policy changes and make the round budget on #234 unmanageable.

This follows the same pattern as #217 -> #234 itself: file a tracked follow-up the moment the deferral is identified, so the deferral is credible.

Surfaced from

• Review feedback on PR ci: pin codeql-advanced.yml action SHAs and align CodeQL major (closes #217) #234, line 74 of .github/workflows/codeql-advanced.yml (workflow duplication on PR/push).
• AGENTS.md > Review Learnings: deferrals are not credible until the follow-up actually lands.

Related

• ci: pin codeql-advanced.yml action references to 40-char commit SHAs #217 (SHA-pinning, closed by ci: pin codeql-advanced.yml action SHAs and align CodeQL major (closes #217) #234)
• ci: pin codeql-advanced.yml action SHAs and align CodeQL major (closes #217) #234 (this PR)
• ci(dependabot): config file at .github/workflows/dependabot.yml is silently ignored (canonical path is .github/dependabot.yml) #235 (Dependabot config at wrong path -- prerequisite for the SHAs pinned here to auto-bump)
• security(codeql): suppress py/unsafe-cyclic-import on simulation triple (closes #215) #216 (CodeQL py/unsafe-cyclic-import suppression -- the suppression posture must remain identical post-consolidation)