Add security CI/CD pipeline for GitHub Actions in addition to existing security measures

[Jamestth]

Summary

• Add a new security.yml GitHub Actions workflow replicating GitLab CI security scanning (secret detection, dependency scanning, SAST)
• Improve error handling in LogicalTypeOptionsCheckReference by replacing assert statements with explicit RuntimeError for clearer debugging in production

Changes

Security workflow (.github/workflows/security.yml):

• Secret detection — TruffleHog scans commit history for leaked credentials (verified + unknown results). No license required.
• SAST — Semgrep with p/python, p/bandit, and p/secrets rulesets. Fails the job on findings (--error). No token required.
• Dependency review — Blocks PRs that introduce high-severity vulnerable dependencies (fail-on-severity: high)
  All three jobs are configured to fail on findings.

Runs on pushes to main and on pull requests.

Error handling fix (src/vowl/contracts/check_reference_generated.py):

• Replace bare assert pattern is not None with RuntimeError that includes the failing value, so issues are surfaced in production rather than silently passing when Python optimizations are enabled (-O).