Explicit set minor and patch version on used actions

[yubiuser]

• What does this PR aim to accomplish?:

Allow updates for GH actions by dependabot also for minor and patch versions. So far, we only specify major versions in our workflows. Therefore, dependabot will only check if new major versions exist and won't update the workflow on new minor or patch versions.

By explicitly setting minor and patch version we allow dependabot to update those as well.

E.g. action/stale@v5 is currently missing the close-issue-reason. This was added in v5.1.0. However, dependabot fails to recognize the update atm.

P.S. I expect some dependabot PRs after this has been merged. I did not update the versions manually to get the dependabot changelog.

---

By submitting this pull request, I confirm the following:

1. I have read and understood the contributors guide, as well as this entire template. I understand which branch to base my commits and Pull Requests against.
2. I have commented my proposed changes within the code and I have tested my changes.
3. I am willing to help maintain this change if there are issues with it later.
4. It is compatible with the EUPL 1.2 license
5. I have squashed any insignificant commits. (git rebase)

---

• I have read the above and my PR is ready for review. Check this box to confirm

[yubiuser]

Smoke tests fails due to an upstream issue
editorconfig-checker/editorconfig-checker#213

[yubiuser]

CodeQl does not seem to use .minor.patch versioning.

[PromoFaux]

Are the minors and patches not rolled into the v3 action? I've never seen an example workflow use the full version number...

[DL6ER]

@PromoFaux I don't think so, when you go to any action page and click on "Use latest version", you get a yaml code suggestion like

[PromoFaux]

👀 - and that's not even the latest version!

[DL6ER]

Latest seems to be the most recently released one, not necessarily in agreement with the largest version number.

[yubiuser]

Currently latest versions:

checkout v3.0.2
stale v5.1.0
action-add-labels v1.1.0
action-editorconfig-checker v1.0.0
setup-python v4.1.0

[PromoFaux]

Just throwing this in here.

Like Is said, I've never seen any docs point to using an exact version before - upstream actions owners should be moving the v2/v3 etc tags to point to the latest minor/patch version

It just feels like Dependabot will be opening unnecessary PRs at with this change. Taking the actions/checkout repo as an example:

v3 and v3.0.2 point to the same commit -Dependabot does not need to do anything 🤷

[PromoFaux]

It appears only stale has not done this.

[yubiuser]

I see this is an issue with stale not moving their release to the latest commit.
However, I still think this a valid PR: we know exactly which action version we use, we see what's changed between versions and can easily revert if something breaks.
I'd like to know which software we are using. We always tell users to read our release notes, but for the actions we use we go mostly blindly so far.

[yubiuser]

actions/stale#783

[yubiuser]

To support my statement from above: currently, we have two issues with actions, stale and editorconfig-checker. If we would use explicit versions, one would not have occurred and the other one could mitigated by simply revert to the previous action version.

[PromoFaux]

You might just have convinced me. I notice you have set everything to x.0.0, is that to test the dependabot action? Might be safer to set it off on a test repo first of all and then just pin these to whatever version we want to (rather than deal with a million different dependabot PRs after/if this is merged)

[yubiuser]

Needs re-approval after force-push to amend pgp signature.