PR check generator: add `excludeOsAndVersionCombination`

[angelapwen]

We often need to exclude specific combinations of CLI versions + operating systems. Previously there was no easy way to do this: we would run all CLI versions specified against all operating systems specified. This change adds the excludeOsAndVersionCombination parameter to do just that!

To test, I re-enabled Swift on Linux for CLI v >= 2.17.4, which remained as a to-do item after we disabled those checks in https://github.com/github/codeql-action/pull/2299. Note that default, linked, and nightly-latest are all now current enough to re-enable those. The new generator script allows us to exclude all older CLI versions on Linux.

I'll update the required PR checks once this PR is approved ✅

Merge / deployment checklist

• [x] Confirm this change is backwards compatible with existing workflows.
• [x] Confirm the readme has been updated if necessary.
• [x] Confirm the changelog has been updated if necessary.

[angelapwen]

Updated the branch protection rules accordingly for main, releases/v2, and releases/v3.