SEC: enable security scans of GHA using zizmor

[neutrinoceros]

As suggested in liberfa/pyerfa#183

[neutrinoceros]

Note: I expect the first run might fail because I intentionally disabled all permissions at the workflow level. The idea is to iteratively re-enable anything that turns out necessary in practice, but only this subset. So, it might take a couple iterations to get there, but I think I'll need manual approval for each run to start, since I never contributed to this repo before.
Is there anyone confortable with being pinged every time ? If not, it might take longer to converge (but that's okay with me).

[github-advanced-security]

This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation.

[mhvk]

Do ping! I started run number one. Thanks!

[neutrinoceros]

Thanks !
well, the one failure doesn't look related at all, so I'm undrafting this now

[mhvk]

The failure with MacOS + meson is weird, especially since things pass fine on linux and windows. This is indeed unrelated to your PR, and may have been around for a while - we haven't really made changes to erfa for a while...

@eli-schwartz - sorry to bother you, but since you initially put in support for building with meson, might you be able to help trouble-shoot this? Possibly, it is not at all meson related, but the error claims that it is (and should be reported to meson).

[eli-schwartz]

@mhvk no problem, I'm happy to be pinged.

This is a bug in python 3.14 and exposed in meson, which will be solved by working around it in meson. Meson does have a relatively strict policy that if a python traceback can be reached when running meson, it's a bug simply because any reason for a traceback to occur means we should have caught the traceback and reported a better error message with more helpful guidance. Also, invariably it's actually a real bug so we want people to actually report them to us instead of worrying about whose fault it is. ;)

The fix is not merged yet in meson git master. The next bugfix release will be meson 1.9.2, which I suppose I should really prioritize at this point. Maybe I can tag it over the weekend, including this fix.

[mhvk]

Thanks! This PR should not be a reason to hurry -- now we know if it is unrelated to us, we can just merge this PR.