Best practies for github actions: permissions and dependabot

[andros21]

Related: #221

Description of changes:

Explicitly set permissions required inside github actions

For dependabot what you'd prefer for schedule interval?
And for the preference you expressed:

raise PRs unless there is a semver-breaking version bump

I think the closest behavior can be ignoring semver patch release for all actions,
instead minor, major usually can contain some breaking changes. Is it ok?

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

[LukeMathWalker]

I think we can lean on "increase-if-necessary" for Dependabot? (see here)

[andros21]

Maybe, I looked at it, but I don't see github-actions ecosystem explicitly mentioned as supported in none of the available update strategies

[LukeMathWalker]

Yeah, you're right. Let's stick to your suggestion then.

[andros21]

To benefit from dependabot update checks the last thing that remain to do is to explicitly pin the complete tag version for all github actions used (to avoid rolling tags such as checkout@v3) even better the full commit hash.

Fortunately for this error prone task we can use https://github.com/step-security/secure-repo, I've already previewed changes for full length commit sha pinning: step-security-bot@760092b

If you are ok with this approach, I can let the bot open a PR, and then incorporate its changes here

[LukeMathWalker]

I prefer to keep a rolling tag, which is why I want to skip patch updates (and perhaps minor, depending on the frequency).
Pinning would just lead to unnecessary PR churn on this repository.