feat: make SARIF upload opt-in to avoid paid feature requirement

Add upload-sarif input (default: false) to control GitHub Security tab
integration. This avoids confusing error messages for private repos
that don't have Code Security enabled ($30/mo per committer).

Also updated CodeQL action to v4 (v3 deprecated Dec 2026).

Usage for repos with Code Security enabled:
  with:
    upload-sarif: true

Author: RickCogley

.github/workflows/security.yml

@@ -60,6 +60,11 @@ on:
         required: false
         type: boolean
         default: false
+      upload-sarif:
+        description: 'Upload SARIF to GitHub Security tab (requires Code Security enabled, paid for private repos)'
+        required: false
+        type: boolean
+        default: false
     secrets:
       SEMGREP_APP_TOKEN:
         description: 'Optional Semgrep App token for enhanced rules'
@@ -271,11 +276,10 @@ jobs:
           retention-days: 30
 
       - name: Upload to GitHub Security
-        uses: github/codeql-action/upload-sarif@v3
-        if: always()
+        uses: github/codeql-action/upload-sarif@v4
+        if: inputs.upload-sarif
         with:
           sarif_file: reports/semgrep.sarif
-        continue-on-error: true
 
       - name: Semgrep Summary
         if: always()