feat: add OSV Scanner workflow

[vredchenko]

Summary

• Add automated vulnerability scanning using Google's OSV Scanner action (v2.3.2)
• Runs on PR (diff scan), push to main (full scan), daily at 03:00 UTC, and manual dispatch
• Reports findings via SARIF to GitHub Security tab

Test plan

• Verify workflow triggers on this PR
• Check Security tab for SARIF upload after merge

[github-advanced-security]

This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation.

[vredchenko]

Note:

Dependabot focuses on known CVEs in direct/transitive dependencies and can auto-create PRs to bump versions. It's reactive -
it tells you "this dependency has a CVE, here's a PR to fix it."

OSV Scanner uses the broader OSV database which aggregates multiple sources beyond just CVEs (GitHub Advisories, PyPI, Go,
etc.) and can catch things Dependabot misses. The key difference is the PR diff scan - it scans only the changes introduced
by a PR and blocks merging if new vulnerabilities are being introduced. Dependabot doesn't do that. It also gives you the
SARIF integration in the Security tab for a unified view.

That said, for a pure npm project like sci-react-ui, the overlap is significant. The main added value of OSV Scanner here is
the PR gate - preventing new vulns from being merged in the first place, rather than finding out after the fact. Whether
that's worth the extra workflow depends on how much you care about shift-left for this particular repo.

[akademy]

Now that the vulnerabilities are being highlighted, it would be a good time to fix them!

See if you can fix the current security concerns with some package updates...

[vredchenko]

Now that the vulnerabilities are being highlighted, it would be a good time to fix them!

See if you can fix the current security concerns with some package updates...

Sure, that was the plan right after this is merged. Current vulnerability highlights come from dependabot, this workflow had not uploaded any findings yet but when it does it will publish to: https://github.com/DiamondLightSource/sci-react-ui/security/code-scanning

I want to merge this before addressing because merging will trigger a full run (not just on PR changes) and I want to see that first