chore(ci): Add code scanning & fix dependabot failures (#655)

Author: dpogue

.github/workflows/ci.yml

@@ -17,7 +17,13 @@
 
 name: Node CI
 
-on: [push, pull_request]
+on:
+  push:
+    branches-ignore:
+      - 'dependabot/**'
+  pull_request:
+    branches:
+      - '*'
 
 jobs:
   test:
@@ -29,10 +35,10 @@ jobs:
         os: [ubuntu-latest, windows-latest, macos-latest]
 
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v4
 
       - name: Use Node.js ${{ matrix.node-version }}
-        uses: actions/setup-node@v1
+        uses: actions/setup-node@v4
         with:
           node-version: ${{ matrix.node-version }}
 
@@ -41,11 +47,22 @@ jobs:
           node --version
           npm --version
 
+      - uses: github/codeql-action/init@v3
+        with:
+          languages: javascript
+          queries: security-and-quality
+          config: |
+            paths-ignore:
+              - coverage
+              - node_modules
+
       - name: npm install and test
         run: npm cit
         env:
           CI: true
 
+      - uses: github/codeql-action/analyze@v3
+
       - uses: codecov/codecov-action@v4
         if: success()
         with:

.github/workflows/release-audit.yml

@@ -17,7 +17,13 @@
 
 name: Release Auditing
 
-on: [push, pull_request]
+on:
+  push:
+    branches-ignore:
+      - 'dependabot/**'
+  pull_request:
+    branches:
+      - '*'
 
 jobs:
   test: