workflow: run codeql for PRs and ignore actions for doc changes

Signed-off-by: Tuomas Katila <[email protected]>

Author: tkatila

.github/workflows/ci.yaml

@@ -7,6 +7,9 @@ on:
     branches:
       - main
       - 'release-*'
+    # ignore PRs with only documentation changes
+    paths-ignore:
+      - '**/*.md'
 
 permissions:
   contents: read
@@ -23,6 +26,13 @@ jobs:
   validate:
     uses: "./.github/workflows/lib-validate.yaml"
 
+  codeql:
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+    uses: "./.github/workflows/lib-codeql.yaml"
+
   build:
     needs:
       - trivy