ci: Set up CodeQL analysis w/ fixes (#1711)

* ci: Set up CodeQL analysis
* spec: disable allowBackup in testing
* ci: do not check cordova.js - convered in cordova-js repo
* chore: add missing @Override annotation

.github/workflows/ci.yml

@@ -31,15 +31,12 @@ jobs:
         os: [ubuntu-latest, windows-latest, macos-latest]
 
     steps:
-      - uses: actions/checkout@v3
-
-      - name: Use Node.js ${{ matrix.node-version }}
-        uses: actions/setup-node@v3
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
         with:
           node-version: ${{ matrix.node-version }}
 
-      - name: set up JDK 11
-        uses: actions/setup-java@v3
+      - uses: actions/setup-java@v4
         with:
           distribution: 'temurin'
           java-version: '11'
@@ -50,6 +47,21 @@ jobs:
           npm --version
           gradle --version
 
+      # "bin/templates/platform_www/cordova.js" is ignored because it is a generated file.
+      # It contains mixed content from the npm package "cordova-js" and "./cordova-js-src".
+      # The report might not be resolvable because of the external package.
+      # If the report is related to this repository, it would be detected when scanning "./cordova-js-src".
+      - uses: github/codeql-action/init@v3
+        with:
+          languages: javascript, java-kotlin
+          queries: security-and-quality
+          config: |
+            paths-ignore:
+              - coverage
+              - node_modules
+              - templates/project/assets/www/cordova.js
+              - test/androidx/app/src/main/assets/www/cordova.js
+
       - name: npm install and test
         run: |
           npm i
@@ -57,6 +69,8 @@ jobs:
         env:
           CI: true
 
+      - uses: github/codeql-action/analyze@v3
+
       - uses: codecov/codecov-action@v4
         if: success()
         with: