CodeQL: only scan `sopel` directory

[dgw]

No more false security warnings in test files.

Checklist

• [x] I have read CONTRIBUTING.md
• [x] I can and do license this contribution under the EFLv2
• [x] No issues are reported by make qa (runs make lint and make test)
  • I haven't touched any code.
• [x] I have tested the functionality of the things this change touches
  • Leaving this unchecked until I see what GHA does, since I can't test the CodeQL workflow locally.

[dgw]

Before (last CodeQL analysis on master):

CodeQL scanned 124 out of 124 Python files in this job. Typically CodeQL is configured to analyze a single CodeQL language per job, so check the status page for overall coverage information across all jobs: https://github.com/sopel-irc/sopel/security/code-scanning/tools/CodeQL/status/
Analysis produced the following metric data:

|                   Metric                   | Value  |
+--------------------------------------------+--------+
| Total lines of Python code in the database | 171510 |

After (with this configuration change):

CodeQL scanned 82 out of 82 Python files in this job. Typically CodeQL is configured to analyze a single CodeQL language per job, so check the status page for overall coverage information across all jobs: https://github.com/sopel-irc/sopel/security/code-scanning/tools/CodeQL/status/
Analysis produced the following metric data:

|                   Metric                   | Value  |
+--------------------------------------------+--------+
| Total lines of Python code in the database | 159354 |

File counts reported by CodeQL match up exactly with my quick-and-dirty find results:

dgw@ROGAlly:~/github/sopel-irc/sopel$ find . -type f -name '*.py' | wc -l
124
dgw@ROGAlly:~/github/sopel-irc/sopel$ find sopel/ -type f -name '*.py' | wc -l
82

Based on the above, I've checked off the "I have tested the functionality of the things this change touches" box above; seems to work exactly as I desired.