Feature/566 introduce clang tidy setup

[pnoltes]

This PR introduces a clang-tidy setup for the project.

I know we previously introduced the GCC static analyzer, but was already testing clang-tidy in the background. A key benefit of clang-tidy is its compatibility with both Clang and GCC. Additionally, you do not need to perform a full compilation first, though clang-tidy does require the CMake-generated compile_commands.json file.

I have enabled most check groups but disabled individual checks that currently report issues. I expect we can enable almost all checks over time (if desired), though some will require further discussion.

Potentially Problematic Checks:

• cppcoreguidelines: Almost all of these checks trigger on C headers included in C++. This might be solvable by wrapping extern "C" directives with //NOLINTBEGIN(cppcoreguidelines-*) and //NOLINTEND(cppcoreguidelines-*).
• readability-*: Some of these are highly opinionated. For example, readability-identifier-naming flags certain variable names as too short (e.g., bnd).

CI/CD Integration

To run clang-tidy, I added a separate workflow. While it is possible to append a clang-tidy scan to an existing build job, doing so would extend the total execution time. Since clang-tidy only requires a CMake configuration, running it as a parallel job avoids increasing the overall build duration.

For local development, the ENABLE_CLANG_TIDY build option can be used to integrate the scan into the build process. While this is also possible on CI, I believe a single dedicated scan is sufficient.

The scan uses the clang-tidy-sarif tool to convert the output into a SARIF report. GitHub supports this format, though I am still confirming exactly how these results integrate into our specific GitHub environment (e.g., the Security tab).

Final Notes:

• I have temporarily disabled the suppression of the cert-dcl59-cpp check so that there is are least some findings to report for testing purposes.
• The cargo-bins/cargo-binstall action is restricted in our organization, so clang-tidy-sarif is currently "installed" via curl. I have kept the action usage in comments for now. If we agree that clang-tidy is the right path forward and the curl approach is acceptable, I will remove the commented-out code.

[github-advanced-security]

This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation.

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 91.53%. Comparing base (a0562f8) to head (b1382c4).

Additional details and impacted files

@@            Coverage Diff             @@
##           master     #834      +/-   ##
==========================================
+ Coverage   91.50%   91.53%   +0.03%     
==========================================
  Files         235      235              
  Lines       28686    28686              
==========================================
+ Hits        26248    26259      +11     
+ Misses       2438     2427      -11     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.