ci(pages): upload bca self-scan offenders to Code Scanning

[dekobon]

What

Wire bca's own SARIF output into the scan job in pages.yml and
upload it to GitHub Code Scanning, closing a dogfooding gap: the repo
already ships a SARIF writer and documents bca check --output-format sarif --no-fail + upload-sarif as the GitHub-native integration
path for adopters — and ci.yml already uploads clippy's SARIF —
yet bca's own self-scan offenders never reached Code Scanning.

Changes

• .github/workflows/pages.yml
  • Add a job-scoped permissions block to scan
    (security-events: write + actions: read; workflow default
    stays contents: read), mirroring ci.yml's clippy job.
  • Add a Generate self-scan SARIF step:
    bca check --output-format sarif --no-fail --output bca.sarif.
    --no-fail + if: always() means it emits even when the gate is
    red. It reads the same auto-discovered bca.toml manifest as the
    gate, so published alerts match the gate's baseline-filtered
    offender set.
  • Add an Upload self-scan SARIF to code scanning step using the
    same pinned github/codeql-action/upload-sarif as clippy, under a
    distinct category: bca, with the same fork-PR guard.
• big-code-analysis-book/src/recipes/ci.md — update the
  "Live worked example" to note the workflow now also exercises a
  SARIF upload end-to-end, including the fork-PR exception.

Semantics

The SARIF is baseline-filtered (same config as the gate), so Code
Scanning shows only regressions past .bca-baseline.toml — i.e. what
would actually fail CI — rather than permanently surfacing accepted
debt. The Markdown/HTML reports keep the full offender picture.

Validation

• make actionlint — clean.
• make markdown-lint — clean.
• Ran bca check --output-format sarif --no-fail --output bca.sarif
  locally: well-formed SARIF 2.1.0; 0 results today because the repo
  sits at a clean baseline (expected — it lights up on the first
  beyond-baseline regression).

Notes

The scan job now runs bca check twice (gate + SARIF emit). This is
a deliberate tradeoff: collapsing to one parse would mean making the
SARIF invocation the gate, which breaks the local/CI gate-invocation
unification and replaces human-readable gate logs with raw SARIF JSON.
The extra analysis pass is seconds in a job dominated by the release
build, so two parses is the right call.

[github-advanced-security]

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

• The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
• Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
• You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.