Keep GitHub Actions up to date with GitHub's Dependabot

[cclauss]

• Keeping your actions up to date with Dependabot
• Configuration options for the dependabot.yml file - package-ecosystem

[thewh1teagle]

Is this important in terms of security? Because Dependabot distracts me with notifications many times, I prefer not to use it.

[cclauss]

https://docs.github.com/en/code-security is where GitHub positions Dependabot.

This PR is designed to reduce chattiness to a bare minimum. GitHub Actions have very infrequent major version changes. setup-uv for instance has only had four major upgrades in its lifetime. Also, when GHAs are upgraded, it often happens in batches. The pattern: * will consolidate all GHA updates into a single pull request to further reduce chattiness. See: rapidfuzz/RapidFuzz#362

There is a tradeoff between supply chain security and chattiness. Given that this repo uses a few GHAs that are updated rarely and usually in batches and we are using pattern: * to ensure that there will only ever be a single GHA upgrade PR at a time.

[thewh1teagle]

As long as it doesn't send more frequently than once a year, it's good.
Thanks!

[cclauss]

Generated

• Bump actions/checkout from 3 to 4 in the github-actions group #7