CI: CodeQL last

Run after at least Ubuntu has passed.

Author: ax3l

.github/workflows/ci.yml

@@ -9,6 +9,7 @@ concurrency:
 jobs:
   stubs:
     # Pushes should only run on mainline branch "development"
+    # TODO: We can also skip this, if the latest commit's name is "Update Stub Files"
     if: github.event_name == 'push' && github.repository == 'AMReX-Codes/pyamrex' && github.ref == 'refs/heads/development'
     name: 🔄 Update Stub Files
     secrets:
@@ -45,6 +46,16 @@ jobs:
     needs: [stubs]
     uses: ./.github/workflows/windows.yml
 
+  codeql:
+    if: github.event.pull_request.draft == false
+    name: 🔎 CodeQL
+    needs: [ubuntu]
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+    uses: ./.github/workflows/codeql.yml
+
   save_pr_number:
     if: github.event_name != 'push'
     runs-on: ubuntu-latest

.github/workflows/codeql.yml

@@ -1,10 +1,7 @@
 name: 🔎 CodeQL
 
 on:
-  push:
-    branches: [ "development" ]
-  pull_request:
-    branches: [ "development" ]
+  workflow_call:
   schedule:
     - cron: "27 3 * * 0"