Include test code in security scans

At second thought, somebody might use CVE-2021-42574 (Trojan source)
or CVE-2021-42694 (homoglyph attack) in tests in order to target
developers.

Author: jgonggrijp

.github/config/codeql.yml

@@ -1,4 +1,6 @@
 paths:
-  - 'modules/**/*.js'
+  - 'modules/**'
+  - 'test/**'
+  - 'test-treeshake/**'
   - 'rollup*.js'
   - 'index.html'

.github/workflows/codeql-analysis.yml

@@ -18,7 +18,9 @@ on:
     # The branches below must be a subset of the branches above
     branches: [ master ]
     paths:
-      - 'modules/**/*.js'
+      - 'modules/**'
+      - 'test/**'
+      - 'test-treeshake/**'
       - 'rollup*.js'
       - 'index.html'
   schedule: