Add Microsoft to trusted actions owner

[felickz]

Trust Microsoft*/GitHub* Actions publishers for the unpinned actions query.

Ex:

    # Discover where the MSBuild tool is and automatically add it to the PATH environment variable
    - name: Setup MSBuild
      uses: microsoft/setup-msbuild@v2

    # Download/installs a given version of NuGet.exe. Using this action will add nuget to your $PATH
    - name: Setup NuGet
      uses: NuGet/setup-nuget@v2

    # Connect to Azure
    - name: Login to Azure
      uses: azure/login@v2

   # Deploys to Azure
    - name: Deploy to Azure Web App
      uses: azure/webapps-deploy@v2

[Copilot]

Pull Request Overview

This PR updates the list of trusted Actions owners in the CodeQL configuration to include Microsoft and Azure.

• Adds "microsoft" and "azure" entries under the extensions section.

[intrigus-lgtm]

I understand that GitHub is a part of Microsoft, but I would say that many people would still consider microsoft/*, azure/*, and NuGet/ 3rd party Actions.
So why explicitly trust them?

[felickz]

I understand that GitHub is a part of Microsoft, but I would say that many people would still consider microsoft/*, azure/*, and NuGet/ 3rd party Actions. So why explicitly trust them?

Fair enough objection. I am of the opposite opinion here that the greater majority of folks would consider the Microsoft parent company a 1st party to GitHub. To me 1st/2nd/3rd party is not the issue here, it is about trust in the supply chain and development/publish process. Both GitHub and Microsoft follow a similar security policy directive for ensuring secure development - https://www.microsoft.com/en-us/trust-center/security/secure-future-initiative