Fix #22466 Add github actions dependency updates with dependabot

[iemejia]

R: @damccorm @pabloem

Please add a meaningful description for your change here

---

Thank you for your contribution! Follow this checklist to help us incorporate your contribution quickly and easily:

• Choose reviewer(s) and mention them in a comment (R: @username).
• Mention the appropriate issue in your description (for example: addresses #123), if applicable. This will automatically add a link to the pull request in the issue. If you would like the issue to automatically close on merging the pull request, comment fixes #<ISSUE NUMBER> instead.
• Update CHANGES.md with noteworthy changes.
• If this contribution is large, please file an Apache Individual Contributor License Agreement.

See the Contributor Guide for more tips on how to make review process smoother.

To check the build health, please visit https://github.com/apache/beam/blob/master/.test-infra/BUILD_STATUS.md

GitHub Actions Tests Status (on master branch)

See CI.md for more information about GitHub Actions CI.

[github-actions]

Assigning reviewers. If you would like to opt out of this review, comment assign to next reviewer:

R: @damccorm for label build.

Available commands:

• stop reviewer notifications - opt out of the automated review tooling
• remind me after tests pass - tag the comment author after tests pass
• waiting on author - shift the attention set back to the author (any comment or push by the author will return the attention set to the reviewers)

The PR bot will only process comments in the main thread (not review comments).

[damccorm]

I'm -1 on doing this. Right now, infra has to bless each version of GitHub actions that we run (e.g. https://issues.apache.org/jira/browse/INFRA-23219). So that means any time dependabot does an update, a corresponding infra ticket needs to be opened - that doesn't seem worth the effort; I'd rather just upgrade if a bug or feature forces it.

FWIW that's why I didn't initially include actions here.

[damccorm]

The only exception to that is that infra does allow actions from the github/actions org automatically. So if we wanted, we could turn it on just for those actions (which would mostly just be the setup-* actions)

[iemejia]

I see, a pity that this requires to contact INFRA for simple maintenance. What about the approved actions from other vendors (not github) Can we add those too or do they mind about versions too?

I created a list to enable updates, let me know what you think. Worse case we let only the github ones that are the majority of what Beam currently uses (70 of 91).

[damccorm]

What about the approved actions from other vendors (not github) Can we add those too or do they mind about versions too?

I'm not 100% sure if its enforced across the board, but AFAIK we would need to request an exception for each of those. It might be worth opening an Infra ticket to ask if they can be permanently allowed, but otherwise I'd vote we just keep it to GitHub for now.

[iemejia]

Ok I let only the actions from github. I suppose most of them should be already enable for the org and otherwise we might request them. WDYT? Should we give it a try?

[github-actions]

Reminder, please take a look at this pr: @damccorm

[damccorm]

This LGTM now, thanks!

[damccorm]

Optional - might be helpful to specifically call out the approval limitation for future readers

[iemejia]

Thanks for the review. I pushed it manually just with the extra suggested comment.