Customize the CodeQL workflow

- Give the workflow a shorter name
- Also trigger on "run-ci" branches (in addition to main)
- Also allow to be triggered from Actions tab
- Comment out currently unneeded permissions
- Use v5 of actions/checkout (rather than v4)
- Don't persist auth token after checkout (see #2187)

.github/workflows/codeql.yml

@@ -9,15 +9,20 @@
 # the `language` matrix defined below to confirm you have the correct set of
 # supported CodeQL languages.
 #
-name: "CodeQL Advanced"
+name: CodeQL
 
 on:
   push:
-    branches: [ "main" ]
+    branches:
+      - main
+      - 'run-ci/**'
+      - '**/run-ci/**'
   pull_request:
-    branches: [ "main" ]
+    branches:
+      - main
   schedule:
     - cron: '32 3 * * 6'
+  workflow_dispatch:
 
 jobs:
   analyze:
@@ -33,11 +38,11 @@ jobs:
       security-events: write
 
       # required to fetch internal or private CodeQL packs
-      packages: read
+      # packages: read
 
       # only required for workflows in private repositories
-      actions: read
-      contents: read
+      # actions: read
+      # contents: read
 
     strategy:
       fail-fast: false
@@ -57,7 +62,9 @@ jobs:
         # your codebase is analyzed, see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v4
+      uses: actions/checkout@v5
+      with:
+        persist-credentials: false
 
     # Add any setup steps before running the `github/codeql-action/init` action.
     # This includes steps like installing compilers or runtimes (`actions/setup-node`