ci: only run on specific paths

This avoids the previously applied paths-ignore exception workaround,
and makes runs as strict as (reasonably) possible. Only directories
known to affect builds will trigger builds, as well as any `.cpp` or
`.h` files to account for any new folders created - though these should
still be added to the workflow later

Signed-off-by: Seth Flynn <getchoo@tuta.io>

.github/workflows/codeql.yml

@@ -2,37 +2,48 @@ name: "CodeQL Code Scanning"
 
 on:
   push:
-    # NOTE: `!` doesn't work with `paths-ignore` :(
-    # So we a catch-all glob instead
-    # https://github.com/orgs/community/discussions/25369#discussioncomment-3247674
     paths:
-      - "**"
-      - "!.github/**"
-      - ".github/workflows/codeql.yml"
-      - "!flatpak/"
-      - "!nix/"
-      - "!scripts/"
+      # File types
+      - "**.cpp"
+      - "**.h"
+      - "**.java"
 
-      - "!.git*"
-      - "!.envrc"
-      - "!**.md"
+      # Directories
+      - "buildconfig/"
+      - "cmake/"
+      - "launcher/"
+      - "libraries/"
+      - "program_info/"
+      - "tests/"
+
+      # Files
+      - "CMakeLists.txt"
       - "COPYING.md"
-      - "!renovate.json"
+
+      # Workflows
+      - ".github/codeql"
+      - ".github/workflows/codeql.yml"
   pull_request:
-    # See above
     paths:
-      - "**"
-      - "!.github/**"
-      - ".github/workflows/codeql.yml"
-      - "!flatpak/"
-      - "!nix/"
-      - "!scripts/"
+      # File types
+      - "**.cpp"
+      - "**.h"
 
-      - "!.git*"
-      - "!.envrc"
-      - "!**.md"
+      # Directories
+      - "buildconfig/"
+      - "cmake/"
+      - "launcher/"
+      - "libraries/"
+      - "program_info/"
+      - "tests/"
+
+      # Files
+      - "CMakeLists.txt"
       - "COPYING.md"
-      - "!renovate.json"
+
+      # Workflows
+      - ".github/codeql"
+      - ".github/workflows/codeql.yml"
   workflow_dispatch:
 
 jobs: