* Upgrade GitHub actions & pin to commit hash
The only exception is `google/oss-fuzz` which does not seem to have releases
or Git tags, so pinning might not make sense there.
Also adds `actions/setup-java` to the `codeql-analysis` workflow to
explicitly specify the JDK version to use (and to use the caching of
that action) instead of relying on the default JDK of the runner image.
* Enable Dependabot for GitHub actions
---------
Co-authored-by: Éamonn McManus <emcmanus@google.com>
Disables the download transfer progress which is shown when Maven downloads
(or uploads) artifacts which are not available in the local repository.
This download progress can be quite verbose and is normally not that relevant.
* Add CodeQL GitHub code scanning workflow
* Only compile main sources for code scanning
* Move test .proto files to test sources
`annotations.proto` also seems to be only relevant for tests because the test
explicitly registers them as extensions. By default the Proto adapter does not
consider them.
* Address some code scanning findings
* Fix some more findings
