fix: isolate per-extension failures so one bad extension can't drop the rest #3952

	name: "CodeQL"

	on:
	push:
	branches: [ main ]
	pull_request:
	branches: [ main ]

	jobs:
	analyze:
	name: Analyze
	runs-on: ubuntu-latest
	permissions:
	security-events: write
	contents: read
	strategy:
	fail-fast: false
	matrix:
	language: [ 'actions', 'python' ]
	steps:
	- name: Checkout repository
	uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3

	- name: Initialize CodeQL
	uses: github/codeql-action/init@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4
	with:
	languages: ${{ matrix.language }}

	- name: Perform CodeQL Analysis
	uses: github/codeql-action/analyze@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4
	with:
	category: "/language:${{ matrix.language }}"

Provide feedback