ci: scanner workflows clone sibling proto repo

The Tier 1 CodeQL + govulncheck workflows failed on PR #16 because
common uses `replace instant.dev/proto => ../proto` in go.mod.

Fix: each workflow now checks out common into ./common, plus clones
the public sibling repo InstaNode-dev/proto.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: mastermanas805

.github/workflows/codeql.yml

@@ -19,15 +19,25 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 30
     steps:
-      - uses: actions/checkout@v4
+      - name: Checkout this repo
+        uses: actions/checkout@v4
+        with:
+          path: common
+      - name: Checkout sibling InstaNode-dev/proto
+        uses: actions/checkout@v4
+        with:
+          repository: InstaNode-dev/proto
+          path: proto
       - uses: actions/setup-go@v5
         with:
-          go-version-file: go.mod
+          go-version-file: common/go.mod
       - uses: github/codeql-action/init@v3
         with:
           languages: go
           queries: security-extended
-      - run: go build ./...
+      - name: Build
+        working-directory: common
+        run: go build ./...
       - uses: github/codeql-action/analyze@v3
         with:
           category: "/language:go"

.github/workflows/govulncheck.yml

@@ -16,10 +16,19 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 15
     steps:
-      - uses: actions/checkout@v4
+      - name: Checkout this repo
+        uses: actions/checkout@v4
+        with:
+          path: common
+      - name: Checkout sibling InstaNode-dev/proto
+        uses: actions/checkout@v4
+        with:
+          repository: InstaNode-dev/proto
+          path: proto
       - uses: actions/setup-go@v5
         with:
-          go-version-file: go.mod
+          go-version-file: common/go.mod
           check-latest: true
       - run: go install golang.org/x/vuln/cmd/govulncheck@latest
-      - run: govulncheck ./...
+      - working-directory: common
+        run: govulncheck ./...