ci: tighten the CodeQL rules

- don't run CodeQL on test files
- don't run CodeQL if no `.go` nor `.js` file have been modified.

.github/workflows/codeql-analysis.yml

@@ -5,9 +5,17 @@ permissions: read-all
 on:
   push:
     branches: [ main ]
+    paths:
+      - '**.js'
+      - '**.go'
+      - '!**_test.go'
   pull_request:
     # The branches below must be a subset of the branches above
     branches: [ main ]
+    paths:
+      - '**.js'
+      - '**.go'
+      - '!**_test.go'
   schedule:
     - cron: '45 22 * * 3'