ci: update github actions

[crazy-max]

- What I did

update github actions to latest major releases and also adds dependabot config to just keep gha actions up to date.

- How I did it

- How to verify it

- Description for the changelog

- A picture of a cute animal (not mandatory but encouraged)

[thaJeztah]

Will this enable dependabot on the repo? (not a huge fan of having it running, also because it will start to open pull requests in 18.300 forks).

[crazy-max]

yeah if 18k forks rebase this would happen 🤷‍♂️

[neersighted]

ref dependabot/dependabot-core#2804 for the tracking of this issue as well as opencontainers/runc#3127 for this same issue in runc

[neersighted]

We could use renovate instead: https://docs.renovatebot.com/modules/manager/github-actions/

[crazy-max]

https://github.blog/changelog/2022-11-07-dependabot-pull-requests-off-by-default-for-forks/ 👀

[crazy-max]

@neersighted Maybe pick that change to #44444? v3.1.1 fixes the set-output warning: https://github.com/actions/upload-artifact/releases/tag/v3.1.1

[neersighted]

One concern I still have about use of Dependabot is the fact that each bump is a separate PR; this creates a large burden for backports to stable branches (as in general we will want to actively maintain our CI on all branches/keep it as aligned as is practical).

Renovate supports batched updates that could help reduce the noise/burden; but I do see the appeal of Dependabot given it is simpler/easier to learn and GitHub-native. We could consider something like tibdex/backport as a way of making (trivial) backports less of a burden in general (I have used it in another busy project with major success).

[thaJeztah]

Could we drop the bit for dependabot, and just manually update?

[neersighted]

If we do that, this is redundant with #44444 and we should close this one as suggested by @crazy-max.

[crazy-max]

Let's close it for now