Bring CodeQL GitHub Actions workflow more in line with defaults

[charmander]

Newer defaults and not permissions I intentionally removed, I think?

[github-advanced-security[bot]]

This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation.

[codecov[bot]]

Codecov Report

All modified and coverable lines are covered by tests :white_check_mark:

Comparison is base (0971e69) 59.62% compared to head (f4a5eef) 59.62%.

Additional details and impacted files

```diff @@ Coverage Diff @@ ## main #1388 +/- ## ======================================= Coverage 59.62% 59.62% ======================================= Files 94 94 Lines 9068 9068 Branches 1635 1635 ======================================= Hits 5407 5407 Misses 3227 3227 Partials 434 434 ```

:umbrella: View full report in Codecov by Sentry.
:loudspeaker: Have feedback on the report? Share it here.