…assertions

remove type assertions from util.py

correctly handle `uname-cmd` that doesn't point to an executable file

This updates `ruff` in `.pre-commit-config.yaml` from 0.6.0 to
0.11.12, changes its `id` from the legacy `ruff` alias to
`ruff-check` (which is better distinguished from `ruff-format`,
which we also have a hook for), and applies the few style changes
it newly recommends throughout the code. The style changes seem to
make things slightly clearer overall.

This also updates some other pre-commit hooks, but those don't
require any changes to the code.

Currently the `ruff` dependency in `requirements-dev.txt` doesn't
specify a version, so no change is needed there. This update may
be seen as bringing the `pre-commit` version in line with what
users will usually have locally with `pip install -e ".[test]"`.

The `pre-commit` hooks are how linting is currently done on CI, so
this is updating `ruff` for CI. That's the most significant effect
of this change. (`pre-commit` is run for linting on CI probably
much more often than it is used locally, to manage pre-commit
hooks or otherwise, in GitPython development.)

Use newer ruff style

So GitHub can regenerate a fresh new one based on current defaults.

This adds CodeQL scanning of GitHub Actions, while continuing to
scan Python as well.

This will subsequently be customized slightly to restore some
elements of the preivous custom workflow that we may prefer.

This restores three aspects of the previous `codeql.yml`:

- Run it on all branches, not just `main`.

- Run it on the previous schedule rather than the new one, since
  there's no reason to change the schedule (though there's no
  reason to be attached to the old schedule either).

- Use "CodeQL" rather than "CodeQL Advanced" as the workflow
  `name`, since this takes up less horizontal space when reading
  the reports from the checks.

Of these, only the first is really significant.

This is another change back to the way we had it before, but the
removals are based specifically on the guidance in the default
workflow comments about why each permission was given by default.

Have CodeQL scan GitHub Actions workflows as well as Python code

Three CI workflows that need only `contents: read` permissions and
no other permissions did not have explicit permissions set, and
would therefore be given default permissions configured for the
repository, which might be more expansive than the workflows need.

It is recommended to set explicit workflow permissions [1]. This
does that, specifying permissions as `pythonpackage.yml` already
did, and closing three `actions/missing-workflow-permissions`
CodeQL alerts (new since gitpython-developers#2032 enabled scanning of GHA workflows).

[1]: https://codeql.github.com/codeql-query-help/actions/actions-missing-workflow-permissions/

…issions

Specify explicit `contents: read` workflow permissions