* Upgrade GitHub actions & pin to commit hash
The only exception is `google/oss-fuzz` which does not seem to have releases
or Git tags, so pinning might not make sense there.
Also adds `actions/setup-java` to the `codeql-analysis` workflow to
explicitly specify the JDK version to use (and to use the caching of
that action) instead of relying on the default JDK of the runner image.
* Enable Dependabot for GitHub actions
---------
Co-authored-by: Éamonn McManus <emcmanus@google.com>
Disables the download transfer progress which is shown when Maven downloads
(or uploads) artifacts which are not available in the local repository.
This download progress can be quite verbose and is normally not that relevant.