feat: Initial run of Semgrep scan

[adimoft]

This pull request introduces several improvements to Windows-specific code and GitHub workflow automation. The most significant changes include refactoring Windows system calls to use the golang.org/x/sys/windows package for better reliability and maintainability, adding a Semgrep security scan workflow, and making minor adjustments to CI and release workflows.

Windows system code modernization and reliability:

• Refactored all Windows system calls in cmd/app/tray_windows.go to use the golang.org/x/sys/windows package instead of the standard syscall package, improving compatibility and future-proofing the code. This includes changes to mutex handling, DLL loading, and process attributes. [1] [2] [3]
• Cleaned up and clarified mutex acquisition and probing logic, and improved error handling and code readability in ensureSingleInstance, acquireInstanceMutex, and probeInstanceMutex.
• Improved user notification logic for already-running instances by updating the use of Windows APIs and simplifying process launching.

Security and CI/CD workflow enhancements:

• Added a new .github/workflows/semgrep.yml workflow to automatically run Semgrep security scans on pushes and pull requests to main, enhancing code security checks.
• Enabled workflow_dispatch triggers for both the CI and Semgrep workflows, allowing manual workflow runs from the GitHub UI. [1] [2]
• Updated the release workflow to fix environment variable naming (GITHUB_REF_NAME) and improved how branches are passed to semantic-release, ensuring correct versioning behavior.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 43.44%. Comparing base (82728e6) to head (c43dee2).

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #1084   +/-   ##
=======================================
  Coverage   43.44%   43.44%           
=======================================
  Files         143      143           
  Lines       13621    13621           
=======================================
  Hits         5917     5917           
  Misses       7143     7143           
  Partials      561      561           

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[Copilot]

Pull request overview

Adds an initial Semgrep scanning workflow to the repository and includes a few workflow and Windows tray-related tweaks.

Changes:

• Added a new GitHub Actions workflow to run Semgrep on pushes/PRs.
• Updated the Windows tray single-instance logic to use golang.org/x/sys/windows APIs.
• Adjusted CI/release workflows (added workflow_dispatch; tweaked semantic-release invocation/output handling).

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 4 comments.

File	Description
cmd/app/tray_windows.go	Switches Win32 interop from syscall to x/sys/windows; refactors mutex and browser-launch code.
.github/workflows/semgrep.yml	Introduces a Semgrep scan workflow using a pinned container image and reusable action.
.github/workflows/release.yml	Updates the dry-run semantic-release step environment variable usage and output redirection quoting.
.github/workflows/ci.yml	Adds YAML document marker and enables manual dispatch.

[sudhir-intc]

@adimoft : can you please resolve the copilot review comments

[Copilot]

Pull request overview

Copilot reviewed 4 out of 4 changed files in this pull request and generated 2 comments.