CodeQL: scope analysis to src/ so libdeps stop drowning the alerts

Without a config file, CodeQL traced the full PlatformIO build and
scored ~2000 alerts against third-party libraries under .pio/libdeps/
(M5GFX, ESP32-audioI2S). Limit analysis to src/ so the dashboard only
shows findings we can actually act on.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: Marcel Dütscher

.github/codeql/codeql-config.yml

@@ -0,0 +1,12 @@
+name: "Pixel-Pets CodeQL config"
+
+# Limit analysis to our own firmware source. CodeQL traces every compile
+# during the PlatformIO build, which would otherwise pull thousands of
+# alerts out of third-party libraries under .pio/libdeps/ (M5GFX,
+# ESP32-audioI2S, etc.) — code we don't maintain and can't fix.
+paths:
+  - src
+
+paths-ignore:
+  - .pio
+  - '**/libdeps/**'

.github/workflows/codeql.yml

@@ -71,6 +71,7 @@ jobs:
         with:
           languages: c-cpp
           queries: security-and-quality
+          config-file: ./.github/codeql/codeql-config.yml
 
       - name: Build firmware (CodeQL traces compiles)
         run: pio run -e ${{ matrix.env }}