Add dependabot, switch to SHA action versions

[wolf99]

In the link from the README about security (https://francoisbest.com/posts/2020/the-security-of-github-actions) it mentions the risk of using release tags rather than SHAs to reference dependencies in the workflow.
Additionally I note that there is no dependabot keeping these pinned actions up to date.

This PR does several things:

• Change workflow action semver pins to SHA pins
• Add dependabot
• Update the README examples from semver pins to SHA pins

The impact for this repo is:

• Dependabot creates PRs for action releases, even minor version releases, that will need reviewing and merging
• Manual updates required for the SHAs in the README examples (i.e. actions/checkout and lycheeverse/lychee)

[mre]

The downside is that the docs become slightly more confusing. As a potential user I would be confused about the usage of a hash instead of a version number. Perhaps looking at all the other actions that just used version numbers spoiled me. Any other known actions that use SHA action versions in their docs?
(Thanks for working on this by the way. 😃)

[wolf99]

Unsure off the top of my head. I can search a bit better later today.

However I see in the following issue that GitHub themselves, dependabot, and Go lang all prefer to use SHAs for actions used in their repos.

dependabot/dependabot-core#2835

Also, the following recommendation from GitHub: https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-third-party-actions

[wolf99]

Have made a quick poll of the tip actions on GitHub marketplace and see none that document with SHAs. Most use either vN or master.

This seems to be because of GitHub's documentation for action builders. But at odds with what GitHub them selves do (as per above comment).

I think it is a fair question to ask. But given the above info, I don't have a good answer.

[mre]

However I see in the following issue that GitHub themselves, dependabot, and Go lang all prefer to use SHAs for actions used in their repos. dependabot/dependabot-core#2835

I support what @willnorris mentioned in the comment:

One additional thing we do, however, is to leave a comment for what release that SHA corresponds to (similar to what github/docs is doing in their allowlist).

steps:
    uses: styfle/cancel-workflow-action@89f242ee29e10c53a841bfe71cc0ce7b2f065abc #0.9.0

That would indeed make things a little cleaner.

In the meantime, can we instead add the contents of your .github/dependabot.yml to the README.md? Maybe under a separate section like "Security tip: Pin this Github action using SHA instead of release". We could add the links you mentioned as well. I'd accept a PR for that.

[wolf99]

Leaving the version in the comment usually winds up actually being more work rather than the less work expected with automation - because Dependabot does not handle these, so they require either manual intervention on the Dependabot PR, or they quickly fall out of sync.

[mre]

Thanks a lot for your contribution @wolf99. 😃