Update CodeQL actions to v3

[rubo]

Changes

• Updated CodeQL actions from the deprecated v2 to v3 as recommended by GitHub
• Added security-and-quality suite
• Added the newly announced community packs for analysis
• Restored action versions over commit hashes as these actions are updated quite often, while the pinned hashes don't allow us to get the latest improvements and security updates for them
• Removed disk space free-up action since disabling redundant submodules makes enough room

Types of changes

What types of changes does your code introduce?

• Bugfix (a non-breaking change that fixes an issue)
• New feature (a non-breaking change that adds functionality)
• Breaking change (a change that causes existing functionality not to work as expected)
• Optimization
• Refactoring
• Documentation update
• Build-related changes
• Other: Description

Testing

Requires testing

• Yes
• No

[LukaszRozmej]

wasn't it pinned to commit for security reasons?

[rubo]

wasn't it pinned to commit for security reasons?

It was but I don't think it works well for the above reasons. It's a controversial thing.

[LukaszRozmej]

wasn't it pinned to commit for security reasons?

It was but I don't think it works well for the above reasons. It's a controversial thing.

I also think it might be paranoid, but it is a company level policy? @yevh

[yevh]

@rubo @LukaszRozmej The current codeql action already using v3 (this is tag version) and there are no any major changes between 2.19.0(pinned in the action) and 2.20.0 (latest). You can check it here: https://github.com/github/codeql-cli-binaries/releases

[rubo]

First, the version is not apparent from commit hashes, especially in this case, where the commit tag is v2 while GitHub recommendations refer to v3. This is a good example of how using commit hashes can be confusing and complicate maintenance. Second, we don't automatically get updates for actions, including bug fixes and security updates. There have been 14 updates to this GitHub action since the commit we hardcoded. This said, the disadvantages of using commit hashes outweigh the possible advantages if any.
IMO, using commit hashes may be justified for actions by some individuals that rarely get updates, while ones from big companies with a lot of attention and frequent update cycles are best with version numbers.

[yevh]

@rubo the updates it's important. One of the option that maybe used here is updating the pinned action with Dependabot(it automatically create a PR). We are currently working on making security related action a shared one. I think this will also help solve the update issue. Anyway, this is not yet a policy, but more than a recommendation.