Justification:
- This was using _a lot_ of vm time and not giving us much
- We only really need to run it once per release
- Weekly as opposed to monthly means we can catch things earlier than when
the release happens
Fixes#105447
* Add CodeQL security scanning
* Limit codeQL languages to Javascript only
Linguist detects a very small amount of additional language code, but given that JS/TS is the majority, I don't think we need to worry about complicating things further.