Add Swift CodeQL workflow and fix Dependabot config

[Copilot]

CodeQL for Swift was missing, and Dependabot config failed due to an empty package ecosystem.

• Security scanning: Add macOS CodeQL workflow that builds both iOS and macOS targets with signing disabled, using a shared CodeQL config scoping analysis to ios/ and mos/.
• Configuration: Add .github/codeql/codeql-config.yml for Swift paths; fix .github/dependabot.yml to monitor GitHub Actions weekly.

Example (CodeQL workflow build step excerpt):

xcodebuild build \
  -project Flean.xcodeproj \
  -target Flean \
  -configuration Debug \
  -sdk iphonesimulator \
  -skipPackagePluginValidation \
  CODE_SIGNING_ALLOWED=NO \
  CODE_SIGNING_REQUIRED=NO \
  CODE_SIGN_IDENTITY=""

[deepsource-io]

DeepSource Code Review

We reviewed changes in e09b771...e40a877 on this pull request. Below is the summary for the review, and you can see the individual issues we found as inline review comments.

See full review on DeepSource ↗

PR Report Card

Overall Grade

Security   Reliability   Complexity   Hygiene

Code Review Summary

Analyzer	Status	Updated (UTC)	Details
PHP		Mar 28, 2026 6:08p.m.	Review ↗
Shell		Mar 28, 2026 6:08p.m.	Review ↗
JavaScript		Mar 28, 2026 6:08p.m.	Review ↗
Swift		Mar 28, 2026 6:08p.m.	Review ↗

[Copilot]

Pull request overview

Adds Swift-focused security automation for the repo’s iOS (ios/) and macOS (mos/) Xcode projects, and fixes an invalid Dependabot configuration so automated updates run correctly.

Changes:

• Introduces a GitHub Actions CodeQL workflow for Swift that builds both the iOS and macOS targets (with signing disabled) and uploads CodeQL results.
• Adds a CodeQL config file scoping analysis to ios/ and mos/.
• Fixes Dependabot config to monitor github-actions updates on a weekly cadence.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated no comments.

File	Description
.github/workflows/codeql.yml	New Swift CodeQL workflow that initializes CodeQL, builds iOS + macOS targets, and runs analysis.
.github/codeql/codeql-config.yml	Scopes CodeQL analysis paths to ios and mos.
.github/dependabot.yml	Replaces invalid/empty ecosystem with github-actions weekly updates.

[github-advanced-security]

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

• The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
• Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
• You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

[kiyarose]

No clue what this means

[kiyarose]

I guess we will have to wait and see when automerge eventually gets to it.