Are there any specific recommendations from the Security SIG on running CodeQL? Ours runs once a day, but both the collector and java seem to run on every PR and push to main - should we change our workflow to do the same?
Creating this issue to document the recommendation in this repository
The following question came up in https://github.com/open-telemetry/opentelemetry-js/issues/4101
Creating this issue to document the recommendation in this repository