Hash-pin action usages, minimize CI/CD permissions

[woodruffw]

Hello! This addresses some findings from zizmor 🙂

TL;DR is that I've hash-pinned all actions to make them more hermetic (making it harder for an attacker who compromises an action to push code directly to you via a mutable tag or branch). I've also added a Dependabot config that'll keep actions up-to-date, with a cooldown period that'll ensure that any action changes have at least a week to bake/receive security scrutiny before they're proposed for your inclusion. Separately, I've made the permissions on your CI/CD as minimal as possible and removed a very minor source of on-disk credential persistence via actions/checkout.

With these changes, the only remaining default zizmor finding is this:

warning[secrets-outside-env]: secrets referenced without a dedicated environment
  --> ./.github/workflows/build.yml:82:20
   |
18 |   build:
   |   ----- this job
...
82 |         token: ${{ secrets.CODECOV_ORG_TOKEN }}
   |                    ^^^^^^^^^^^^^^^^^^^^^^^^^ secret is accessed outside of a dedicated environment
   |
   = note: audit confidence → High

3 findings (2 suppressed): 0 informational, 0 low, 1 medium, 0 high

...which is pretty minor, but could be resolved by a maintainer by moving that credential into a dedicated deployment environment.

Separately, I have not included a CI integration for zizmor in this PR. But if you're interested in one LMK and I'd be happy to do a follow up PR for it!