Prevent GHA from timing out after 3mo

[madwort]

• We believe Github Actions stops running scheduled actions after 3mo if there are no new commits to the repo.
• We believe that if we keep an automated record of the current sha of the ubuntu base images in the git repo, we can ensure that GHA keeps running, and we keep receiving security updates.
• see discussion at https://bennettoxford.slack.com/archives/C03ELD5FEAU/p1692357344762739

[madwort]

#26

[madwort]

new plan - #30 - unfinished, as I need to figure out how to get dependabot to do the right thing

EDIT: abandoned due to complications.

[madwort]

dargh not fixed, update to follow

[madwort]

So I'm an idiot, and hadn't taken into account that because main is a protected branch that requires an approval review to merge we can't just push to main from the scheduled task. So, if we want auto-merge we need the PR to be created by a different actor to the PR reviewer, which means PR created by dependabot & auto-merged by actionrunner.

The good news is that the hashes that dependabot is using when updating a Dockerfile now match what I expected to see. So I now think that the sha mismatch was due to version skew rather than a different package. citation actions/runner-images@cb9fe37