Bump actions in README

[Goooler]

Closes #1287.

[spencerschrock]

We try to avoid unpinned actions, see #1290 (comment) for details.

In the README, this makes it easy for things to go out of date. So it's about balancing a trade-off of up-to-date versions with contradicting our own advice.

[Goooler]

In the README, this makes it easy for things to go out of date.

Yeah, I was thinking about this too. I suggest we can use major version in README to let users obtain the latest minor updates.

[spencerschrock]

Resolved through #1352. Dependabot will keep the example up-to-date, so we wont need to update it here anymore.

I suggest we can use major version in README

Since our README example is in our control, we are going to advocate for dependency pinning still.
https://docs.github.com/actions/security-guides/security-hardening-for-github-actions#using-third-party-actions

I did try to switch our starter workflow to using the major versions since that's annoying to upgrade, but their CONTRIBUTING.md requires the use of hash pinning.