fix(ci): configure CodeQL to scan only JEngine source code (#562)

Add CodeQL configuration to exclude third-party packages and focus
analysis on JEngine-specific code:

Included paths:
- UnityProject/Packages/com.jasonxudeveloper.jengine.core
- UnityProject/Packages/com.jasonxudeveloper.jengine.util
- UnityProject/Assets/HotUpdate/Code

Excluded:
- Third-party packages (HybridCLR, YooAsset, UniTask, etc.)
- Unity generated folders (Library, Temp, obj)
- Build outputs and samples

This improves code quality metrics by focusing on our own code
and reduces noise from third-party dependencies.

Signed-off-by: JasonXuDeveloper - 傑 <jason@xgamedev.net>
Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>

Author: JasonXuDeveloper

.github/codeql/codeql-config.yml

@@ -0,0 +1,36 @@
+name: "JEngine CodeQL Configuration"
+
+# Only analyze JEngine source code, exclude third-party dependencies
+paths:
+  # JEngine Core package
+  - 'UnityProject/Packages/com.jasonxudeveloper.jengine.core'
+  # JEngine Util package
+  - 'UnityProject/Packages/com.jasonxudeveloper.jengine.util'
+  # Hot update code
+  - 'UnityProject/Assets/HotUpdate/Code'
+
+paths-ignore:
+  # Third-party packages
+  - 'UnityProject/Packages/com.code-philosophy.hybridclr'
+  - 'UnityProject/Packages/com.focus-creative-games.*'
+  - 'UnityProject/Packages/com.tuyoogame.*'
+  - 'UnityProject/Packages/com.unity.*'
+  - 'UnityProject/Packages/com.cysharp.*'
+  # Unity generated files
+  - 'UnityProject/Library'
+  - 'UnityProject/Temp'
+  - 'UnityProject/Logs'
+  - 'UnityProject/obj'
+  # Build outputs
+  - 'UnityProject/Builds'
+  - 'UnityProject/ServerData'
+  # Test files (optional - remove if you want tests scanned)
+  - 'UnityProject/Assets/Tests'
+  # Third-party assets
+  - 'UnityProject/Assets/Plugins'
+  # Samples
+  - 'UnityProject/Assets/Samples'
+
+# Query configuration
+queries:
+  - uses: security-and-quality

.github/workflows/codeql.yml

@@ -0,0 +1,61 @@
+name: CodeQL Security Analysis
+
+on:
+  push:
+    branches: [master]
+    paths:
+      # Only run when JEngine code changes
+      - 'UnityProject/Packages/com.jasonxudeveloper.jengine.core/**'
+      - 'UnityProject/Packages/com.jasonxudeveloper.jengine.util/**'
+      - 'UnityProject/Assets/HotUpdate/Code/**'
+      - '.github/codeql/**'
+      - '.github/workflows/codeql.yml'
+  pull_request:
+    branches: [master]
+    paths:
+      - 'UnityProject/Packages/com.jasonxudeveloper.jengine.core/**'
+      - 'UnityProject/Packages/com.jasonxudeveloper.jengine.util/**'
+      - 'UnityProject/Assets/HotUpdate/Code/**'
+      - '.github/codeql/**'
+      - '.github/workflows/codeql.yml'
+  schedule:
+    # Run weekly on Sunday at 00:00 UTC
+    - cron: '0 0 * * 0'
+  workflow_dispatch:
+
+jobs:
+  analyze:
+    name: Analyze C# Code
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v3
+        with:
+          languages: csharp
+          config-file: ./.github/codeql/codeql-config.yml
+          # Use security-and-quality queries for comprehensive analysis
+          queries: security-and-quality
+
+      # Build step for C# - CodeQL needs to observe the build
+      # For Unity projects, we set up a minimal build environment
+      - name: Setup .NET
+        uses: actions/setup-dotnet@v4
+        with:
+          dotnet-version: '6.0.x'
+
+      # Autobuild attempts to build the project automatically
+      - name: Autobuild
+        uses: github/codeql-action/autobuild@v3
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v3
+        with:
+          category: "/language:csharp"