Add validation for empty latest_tag in CodeQL update workflow

[Copilot]

The workflow's detect-update job fetches the latest CodeQL CLI release but doesn't validate the result. If the GitHub API returns no release marked as isLatest, the empty latest_tag propagates through version comparison and output variables, causing cryptic failures in downstream update steps.

Changes:

• Added empty string check after gh release list API call
• Fail fast with explicit error message when no latest release found
• Write errors to stderr and exit with code 1

Example:

# Get latest release from codeql-cli-binaries
latest_tag=$(gh release list --repo github/codeql-cli-binaries --json 'tagName,isLatest' --jq '.[] | select(.isLatest == true) | .tagName')

# Validate that we found a latest release
if [ -z "${latest_tag}" ]; then
  echo "❌ Error: Could not determine latest CodeQL CLI version from github/codeql-cli-binaries" >&2
  echo "No release marked as 'latest' was found. This may indicate an API issue or repository change." >&2
  exit 1
fi

latest_clean="${latest_tag#v}"

This prevents the workflow from proceeding with empty version strings that would cause update steps to fail with unclear error messages.

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.