Run CodeQL only post merge

[runningcode]

📜 Description

This runs CodeQL with build caching disabled post-merge.

#skip-changelog

💡 Motivation and Context

CodeQL is slow and requires the compilation tasks to re-run. By disabling build caching we can ensure that CodeQL is run correctly. However since this is one of the longest checks, it doesn’t make sense to run it during PRs.

💚 How did you test it?

📝 Checklist

• I added tests to verify the changes.
• No new PII added or SDK only sends newly added PII if sendDefaultPII is enabled.
• I updated the docs if needed.
• I updated the wizard if needed.
• Review from the native team if needed.
• No breaking change or entry added to the changelog.
• No breaking change for hybrid SDKs or communicated to hybrid SDKs.

🔮 Next steps

[github-actions]

Performance metrics 🚀

	Plain	With Sentry	Diff
Startup time	420.48 ms	441.41 ms	20.93 ms
Size	1.58 MiB	2.08 MiB	508.73 KiB

Previous results on branch: no/codeql

Startup times

Revision	Plain	With Sentry	Diff
a01e51f	396.80 ms	423.92 ms	27.12 ms
2bea437	385.17 ms	400.10 ms	14.93 ms

App size

Revision	Plain	With Sentry	Diff
a01e51f	1.58 MiB	2.08 MiB	507.59 KiB
2bea437	1.58 MiB	2.08 MiB	507.76 KiB

[markushi]

To be honest I would still run CodeQL for PRs against main, as it will block the PR from being merged if there are CodeQL issues.

[romtsn]

I think it's probably fine to run it on main only, because I don't remember a single time where it failed for a valid reason 😅 We'll still get the notification if it's failed on main and see the results here: https://github.com/getsentry/sentry-java/security/code-scanning

The reason we don't want to run it on PRs because without build-cache it'd be the longest one to run. Alternatively we could skip the run altogether, if there were no code changes to prevent the job from failing, but I think it's a good middle-ground for now.

[romtsn]

LGTM, let's see how it goes and we add a skip-check later, if we see it necessary 👍