chore(NODE-6578): add misc tooling to ZSTD repo

[baileympearson]

Description

What is changing?

This PR contains a smattering of tooling we'll need for the SSDLC release flow (coming in the next PR):

• A release please config and manifest has been added.
• A new build action has been added, that builds the bindings and uploads the to GHA artifact storage (for use in the release action later, coming in a follow-up PR)
• CodeQL has been enabled and configured for both C++ and JS.
• A new SBOM file has been generated, which includes the correct version of zstd as our only bundled dependency.
• The zstd C library version now is specified in the package.json and the install scripts reads the package file to install the correct version of zstd.

Is there new documentation needed for these changes?

What is the motivation for this change?

Double check the following

• Ran npm run format:js && npm run format:rs script
• Self-review completed using the steps outlined here
• PR title follows the correct format: type(NODE-xxxx)[!]: description
  • Example: feat(NODE-1234)!: rewriting everything in coffeescript
• Changes are covered by tests
• New TODOs have a related JIRA ticket

[github-advanced-security]

This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation.

[aditi-khare-mongoDB]

CodeQL only takes about 2 minutes, is there a reason we put a timeout here and chose 360?

[baileympearson]

not really, no.

This is directly copied from mongodb-client-encryption, which was auto-generated by Github for us. I could adjust it if you want

[aditi-khare-mongoDB]

No need to change it if it matches the existing code for mongodb-client-encryption!

[aditi-khare-mongoDB]

What's the motivation behind this change?

[baileympearson]

The last line in the dockerfile:

COPY --from=build /zstd/prebuilds/ /

Requires that tag used in --from is the same as the tag here. I chose to change this to build to match Dockerfile.glibc instead of adjusting the tag below to --from=node.

[aditi-khare-mongoDB]

Sounds good

[nbbeeken]

Warning: 0:0 warning File ignored by default. Use a negated ignore pattern (like "--ignore-pattern '!<relative/path/to/filename>'") to override

Why doesn't this happen on our other repos? I'm seeing github post a warning on the .release-please-manifest.json file

[baileympearson]

Warning: 0:0 warning File ignored by default. Use a negated ignore pattern (like "--ignore-pattern '!<relative/path/to/filename>'") to override

Why doesn't this happen on our other repos? I'm seeing github post a warning on the .release-please-manifest.json file

We don't lint json files in our other repos. I set this up when I set up eslint and mocha - you pointed out they were malformed and we decided to lint them.