ci: add trust policy file for codeql (#15778)

This adds a trust policy file in support of
#15757

Author: emmettbutler

.github/chainguard/codeql.sts.yaml

@@ -0,0 +1,12 @@
+issuer: https://gitlab.ddbuild.io
+subject_pattern: "project_path:DataDog/dd-trace-py:ref_type:branch:ref:.*"
+claim_pattern:
+  project_path: "DataDog/apm-reliability/dd-trace-py"
+  ref_type: "branch"
+  ref: ".+"
+  ref_path: "refs/heads/.+"
+  ref_protected: "true"
+  pipeline_source: "(web|schedule)"
+  ci_config_ref_uri: "gitlab.ddbuild.io/DataDog/apm-reliability/dd-trace-py//.gitlab-ci.yml@refs/heads/.+"
+permissions:
+  security_events: write