* Upgrade GitHub actions & pin to commit hash
The only exception is `google/oss-fuzz` which does not seem to have releases
or Git tags, so pinning might not make sense there.
Also adds `actions/setup-java` to the `codeql-analysis` workflow to
explicitly specify the JDK version to use (and to use the caching of
that action) instead of relying on the default JDK of the runner image.
* Enable Dependabot for GitHub actions
---------
Co-authored-by: Éamonn McManus <emcmanus@google.com>