Periodically scan for vulnerabilities on all supported release branches

[gerardsn]

We currently scan for vulnerabilities using CodeQL and govulncheck on the master and V* branches when a PR is opened/merged into these branches.

We should periodically scan for vulnerabilities on the same branches (or at least supported versions). I can't find a reliable way to schedule github actions for other branches because:

• each branch requires its own github action file since you manually need to specify the branch if it is not the main branch. using a matrix for branches in actions/checkout allows using 1 file. This means we need to manually add a new action for every released minor version.
• schedules are automatically deactivated after 60 days of inactivity on the repo. This is probably fine, but the schedule is not automatically reactivated if the repo has new activity.
• schedules are deactivated if the user that made the last change to the 'cron' is removed from the organization. To reactivate the schedule, a change should be made to the 'cron' schedule (a change to the Github action file is insufficient).
• schedule outcomes are only sent to the user that last modified the 'cron' value

So the main concern is: scheduled actions are easily deactivated without any warning, and it is hard to (re-)activate them.

[gerardsn]

CodeQL is now scheduled to run twice per week

[gerardsn]

remaining concerns are limitations of the ecosystem and are accepted as is.