docs: assessments #110

	name: "CodeQL Advanced"

	# Custom (advanced) CodeQL setup so the slow c-cpp scan does NOT run on every
	# pull request. With default-setup it ran on every PR for >20 minutes on this
	# template-heavy codebase; here it runs only:
	# - weekly against main (drift detection)
	# - on direct pushes to main (post-merge verification)
	# - on demand via workflow_dispatch
	# It deliberately omits a `pull_request:` trigger.

	on:
	push:
	branches: [ "main" ]
	schedule:
	- cron: '27 16 * * 3'
	workflow_dispatch:

	jobs:
	analyze:
	name: Analyze (${{ matrix.language }})
	runs-on: ubuntu-latest
	timeout-minutes: 90
	permissions:
	security-events: write
	packages: read
	actions: read
	contents: read

	strategy:
	fail-fast: false
	matrix:
	include:
	- language: actions
	build-mode: none
	- language: c-cpp
	build-mode: manual
	- language: javascript-typescript
	build-mode: none
	- language: python
	build-mode: none

	steps:
	- name: Checkout repository
	uses: actions/checkout@v4

	- name: Initialize CodeQL
	uses: github/codeql-action/init@v4
	with:
	languages: ${{ matrix.language }}
	build-mode: ${{ matrix.build-mode }}

	# Manual build for c-cpp: CI_LITE compiles a representative subset, which
	# is enough for CodeQL's extractor without paying for a full BUILD_ALL.
	- name: Configure (c-cpp)
	if: matrix.language == 'c-cpp'
	run: cmake -B build -DUNIVERSAL_BUILD_CI_LITE=ON

	- name: Build (c-cpp)
	if: matrix.language == 'c-cpp'
	run: cmake --build build -j 4

	- name: Perform CodeQL Analysis
	uses: github/codeql-action/analyze@v4
	with:
	category: "/language:${{ matrix.language }}"

Provide feedback