Add recommendation around CodeQL

[codeboten]

The following question came up in open-telemetry/opentelemetry-js#4101

Are there any specific recommendations from the Security SIG on running CodeQL? Ours runs once a day, but both the collector and java seem to run on every PR and push to main - should we change our workflow to do the same?

Creating this issue to document the recommendation in this repository

[codeboten]

From a discussion in the #otel-sig-security slack channel, the proposal is to recommend running CodeQL on pushes to main and on every PR