Use Dependabot and pin actions to releases

Dependabot will automatically open PRs to update dependencies.

Pinning actions to releases is good for security/stability.

Even better would be pinning to specific SHA hashes, but not necessary unless you want to.