Create github action for flagging sql-related commits

[RollingStar]

SQL feels more fragile/risky to me than most computer code in beets. Maybe this is superstition but SQL involves:

• the user's database, which is very important and hard to recreate (without user-made backups)
• pretty different commands than most programming, so skills don't transfer without training
• possibility of SQL injection? (Not sure if this applies to beets)

So I think we should do 2 things:

1. Have a policy of isolating SQL-related changes to their own PR as much as possible
2. Have a github action for a rudimentary detection of a SQL change.

Detecting a sql change

There may be an off the shelf action for this. If not, just flag "SQL" (case insensitive) in a line of code that changed. Doesn't have to be perfect, just one round of defense.

[bal-e]

At the moment, SQL code is spread out through the codebase in a really messy fashion. In some places, we construct SQL query strings using interpolation, and I'm pretty sure SQL injection (i.e. unsafe interpolation of user-controlled values into our queries) is possible somewhere. I don't think there is going to be a reasonably comprehensive way to catch every SQL-related piece of code to alert changes to, not until a major upheaval of the database implementation.

[Serene-Arc]

Adding onto this, security is one of my areas. SQL injections are a problem if the database itself being manipulated by another party is a problem. With beets, this isn't technically a security problem without other bugs in the SQL system. The worst case from an injection would be inserting or deleting records; in essence, corrupting the database. Bad but not technically a security issue unless you consider, possibly, the details of your music library to be a secret worth protecting.

There are also linters and tools which detect and manage SQL best practices in Python code specifically. We could definitely either enable those with our current linters or add them to the CI.