ci: pin github actions by hash and update via dependabot

[xopham]

What does this PR do?

• Add dependabot for github actions
• Pin all actions by hash

Motivation

Pinning 3rd-party GitHub Actions by commit SHA makes them less vulnerable to compromise of the 3rd party. To avoid outdating and non-verbosity, versions are commented after the SHA and updating via dependabot is introduced that will automatically update the commented version tag as well.

In case of a false commit SHA, this change could break the corresponding workflow. Typically, this does not cause major interruptions, but it can for example affect a release pipeline and require restart causing delays.

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 81.03%. Comparing base (386f4e7) to head (77a74f0).
Report is 1 commits behind head on master.

Additional details and impacted files

@@            Coverage Diff             @@
##           master    #5193      +/-   ##
==========================================
- Coverage   81.13%   81.03%   -0.11%     
==========================================
  Files         481      476       -5     
  Lines       21489    21341     -148     
==========================================
- Hits        17436    17293     -143     
+ Misses       4053     4048       -5     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[pr-commenter]

Benchmarks

Benchmark execution time: 2025-02-03 17:25:40

Comparing candidate commit 77a74f0 in PR branch christoph.hamsen/pin-update-gh-actions with baseline commit 386f4e7 in branch master.

Found 1 performance improvements and 0 performance regressions! Performance is the same for 908 metrics, 24 unstable metrics.

scenario:plugin-graphql-with-depth-and-collapse-on-18

• 🟩 max_rss_usage [-83.186MB; -75.382MB] or [-8.791%; -7.966%]

[simon-id]

Seen reasonable enough 👍 I'm approving but please wait until you get approval from other teams as I'm not the only stakeholder of this repo :)