chore(ci): update codeql workflows

[nirinchev]

Description

Updates codeql actions to v3; adds actions as a scanned language.

Motivation and Context

• Bugfix
• New feature
• Dependency update
• Misc

Types of changes

• Backport Needed
• Patch (non-breaking change which fixes an issue)
• Minor (non-breaking change which adds functionality)
• Major (fix or feature that would cause existing functionality to change)

[github-advanced-security]

This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation.

[gribnoysup]

CI failure is relevant to the changes in this PR it seems?

[2025/01/22 21:39:59.052] /data/mci/861d152c6ced35957b289355d5300ba9/src/node_modules/@mongodb-js/sbom-tools/dist/commands/fetch-codeql-results.js:223
[2025/01/22 21:39:59.052]                 throw new Error(`Found bad (not dismissed) alert: ${JSON.stringify(properties)} from run at ${JSON.stringify(repoInfo)}`);
[2025/01/22 21:39:59.052]                       ^
[2025/01/22 21:39:59.052] Error: Found bad (not dismissed) alert: {"github/alertNumber":154,"github/alertUrl":"https://api.github.com/repos/mongodb-js/compass/code-scanning/alerts/154"} from run at {"branch":"refs/pull/6645/merge","repositoryUri":"[https://github.com/mongodb-js/compass","revisionId":"7370ca5a97ec11ee882c30797629185c10c220cb","repos":[]](https://github.com/mongodb-js/compass%22,%22revisionId%22:%227370ca5a97ec11ee882c30797629185c10c220cb%22,%22repos%22:[])}
[2025/01/22 21:39:59.052]     at fetchCodeQLResults (/data/mci/861d152c6ced35957b289355d5300ba9/src/node_modules/@mongodb-js/sbom-tools/dist/commands/fetch-codeql-results.js:223:23)
[2025/01/22 21:39:59.052]     at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
[2025/01/22 21:39:59.052]     at async Command.<anonymous> (/data/mci/861d152c6ced35957b289355d5300ba9/src/node_modules/@mongodb-js/sbom-tools/dist/commands/fetch-codeql-results.js:275:25)

[nirinchev]

Yes, the alerts related to actions are legitimate: https://github.com/mongodb-js/compass/security/code-scanning?query=pr%3A6645+is%3Aopen. I'll go through them and fix/dismiss where relevant.

[nirinchev]

@gribnoysup I've updated the workflows to address the issues flagged by CodeQL (they were mostly lack of explicit permissions for workflows and not pinning 3rd party actions to a commit).