Enable CodeQL security analysis (#754)

## CodeQL Enablement

- [x] Create CodeQL workflow configuration
  - [x] Configure CodeQL for Rust language
  - [x] Set up build steps for Rust workspace
  - [x] Set up CodeQL database initialization and analysis
- [x] Integrate CodeQL into ci.yml
  - [x] Remove separate codeql.yml workflow file
  - [x] Add CodeQL job to ci.yml workflow
  - [x] Verify build commands work correctly
- [x] Address review feedback
- [x] Scope security-events:write permission to only the codeql job
(least-privilege)
  - [x] Fix step indentation to match other jobs in the workflow
  - [x] Use --profile ci to match other jobs and avoid cache duplication
  - [x] Remove CodeQL from basics gate to avoid blocking expensive tests

## Summary

CodeQL is now integrated into the CI workflow and runs in parallel with
all other jobs. It is not part of the "basics" gate, which means:
- Fast basic checks (clippy, fmt, etc.) complete in ~30 seconds and
immediately unblock expensive tests
- CodeQL runs in parallel with expensive tests (workspace tests,
coverage, etc.)
- Total CI time is not increased by CodeQL's ~8 minute runtime
- CodeQL is still a required check for PRs - it just doesn't block other
tests from starting

The job follows least-privilege principles with scoped permissions and
uses the ci profile for build caching consistency.

<!-- START COPILOT ORIGINAL PROMPT -->



<details>

<summary>Original prompt</summary>

> 
> ----
> 
> *This section details on the original issue you should resolve*
> 
> <issue_title>CodeQL enablement</issue_title>
> <issue_description>## Is your feature request related to a problem?
Please describe.
> Enable CodeQL checks
> 
> </issue_description>
> 
> ## Comments on the Issue (you are @copilot in this section)
> 
> <comments>
> </comments>
> 


</details>



<!-- START COPILOT CODING AGENT SUFFIX -->

- Fixes #751

<!-- START COPILOT CODING AGENT TIPS -->
---

💬 We'd love your input! Share your thoughts on Copilot coding agent in
our [2 minute survey](https://gh.io/copilot-coding-agent-survey).

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: harsha-simhadri <5590673+harsha-simhadri@users.noreply.github.com>
Co-authored-by: arrayka <1551741+arrayka@users.noreply.github.com>
Co-authored-by: hildebrandmw <24898651+hildebrandmw@users.noreply.github.com>

Author: 4 people

.github/workflows/ci.yml

@@ -125,6 +125,37 @@ jobs:
             --no-deps \
             --config "$RUST_CONFIG"
 
+  codeql:
+    name: CodeQL security analysis
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      security-events: write
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v3
+        with:
+          languages: rust
+
+      - name: Install Rust ${{ env.rust_stable }}
+        uses: dtolnay/rust-toolchain@stable
+        with:
+          toolchain: ${{ env.rust_stable }}
+
+      - uses: Swatinem/rust-cache@v2
+
+      - name: Build workspace
+        run: cargo build --workspace --locked --profile ci
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v3
+        with:
+          category: "/language:rust"
+
   # TODO: Re-enable docs check later
   # docs:
   #   name: docs