* CI: reduce default permissions to minimum
* CI: update pin actions
Most of them. CodeQL and action-gh-release is untouched for now.
Immutable actions and actions/* are pinned to version,
other actions are pinned to hash.
* CI: make use of archive: false in upload-artifact
also set compression level and error behavior for scan-build upload.
* CI: update codeql and enable scanning actions
The value of 10 does not really fit some of our world patterns and values
up to 15 may be acceptable. Looking at some worlds, 14 seems to be
achievable without too much work and reduces the noise in test output,
making it more usable.
* CI: add a workflow to show flake8 violations in modified files of a PR
* modify a file to trigger the lint check
* CI: add a workflow to show mypy violations in modified files of a PR
* modify a file to trigger the type check
* Split flake8 and mypy into two parallel jobs; run a variant of the workflow on push event; modify a file to trigger the push workflow
* fail the task if there are syntax errors; remove old lint workflow
