ci: add Java to CodeQL security analysis

[pierluigilenoci]

Summary

The CodeQL workflow currently only scans JavaScript, but Arthas is primarily a Java project (~90% of the codebase). This means the security analysis misses the vast majority of the code.

Changes

• .github/workflows/codeql-analysis.yml: Add java-kotlin to the CodeQL language matrix
• Bump actions/checkout from v3 to v4

CodeQL's Autobuild step already supports Maven projects, so no additional build configuration is needed.

Test plan

• No functional code changes
• Verify CodeQL successfully analyzes Java code after merge

[pierluigilenoci]

Hi @hengyunabc, @HollowMan6 — this PR adds Java (java-kotlin) to the existing CodeQL security analysis workflow, so Java code gets the same automated security scanning that JavaScript already has. Also updates actions/checkout to v4. Would you be willing to review? Thank you!

[pierluigilenoci]

Gentle ping — could you take a look at this PR when you get a chance? Happy to address any feedback. Thank you!

[github-advanced-security]

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

• The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
• Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
• You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.