ci: build with runtime safety checks for PRs

[DonIsaac]

What does this PR do?

Improves our existing safe (bun build:safe) profile and enables it by default in CI. This is subtly different than assert (bun build:assert) as it does not turn on ENABLE_ASSERT when compiling c++ code.

Currently, release builds with assertions enabled will not compile because the node:crypto builtin module is large enough to cause an ASSERT_UNDER_CONSTEXPR_CONTEXT macro call in ASCIILiteral.h to exceed clang's constexpr eval step limit (100,000). After we re-write node:crypto in native code, we should re-enable assertions in safe builds.

Changelog

• build: tweak bun run build:safe to include nullptr checks in CPP builds
• ci: add safe profile
• ci: jobs not running on the main branch build with safe profile by default

How did you verify your code works?

This PR enables existing safety checks. If existing tests pass, we're all good. CI failure likely indicates bugs in our code.

[robobun]

^{Updated 4:03 PM PT - Feb 28th, 2025}

❌ @DonIsaac, your commit 0fec40a has some failures in Build #12494

---

🧪   try this PR locally:

bunx bun-pr 17808

[Jarred-Sumner]

This will cause bugs that only happen in release builds. Zig & LLVM both regularly have different behavior and bugs that only happen with or without ReleaseFast.

We cannot replace the PR builds with only assertions builds. We could do in addition, but it will make CI take longer. A 5 min discussion about this IRL probably would’ve saved you a lot of time.