🔐 ci(security): add CodeQL analysis workflow for Java 21 multi-module build

- Introduced `.github/workflows/codeql.yml` for CodeQL static analysis
- Runs on `push`, `pull_request`, and weekly schedule
- Builds both `customer-service` and `customer-service-client` modules
- Reports results to GitHub Security → Code scanning alerts
- Ensures minimal permissions (`security-events: write`, `contents: read`)

Improves overall security posture and enables automated vulnerability detection.

Author: bsayli

.github/workflows/codeql.yml

@@ -0,0 +1,47 @@
+name: CodeQL
+
+on:
+  push:
+    branches: [ main ]
+  pull_request:
+    branches: [ main ]
+  schedule:
+    - cron: '18 3 * * 1'
+
+permissions:
+  contents: read
+  security-events: write
+  actions: read
+
+jobs:
+  analyze:
+    name: Analyze (CodeQL)
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Set up JDK 21
+        uses: actions/setup-java@v4
+        with:
+          java-version: '21'
+          distribution: 'temurin'
+          cache: maven
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v3
+        with:
+          languages: java
+      - name: Build (customer-service)
+        run: mvn -q -ntp -DskipTests=true clean package
+        working-directory: customer-service
+
+      - name: Build (customer-service-client)
+        run: mvn -q -ntp -DskipTests=true clean package
+        working-directory: customer-service-client
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v3
+        with:
+          category: "/language:java"