fix: use commit SHA instead of tags for actions

[hdp617]

I think k8s repos started to enforce using commit SHA (which makes sense from security perspective) because the workflow is currently failing with The action actions/checkout@v4 is not allowed in kubernetes/cloud-provider-gcp because all actions must be pinned to a full-length commit SHA.

Also update dependabot to handle github actions.

[k8s-ci-robot]

This issue is currently awaiting triage.

If the repository mantainers determine this is a relevant issue, they will accept it by applying the triage/accepted label and provide further guidance.

The triage/accepted label can be added by org members by writing /triage accepted in a comment.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[hdp617]

/assign LogicalShark

[LogicalShark]

/lgtm
/approval

[LogicalShark]

/approve

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: hdp617, LogicalShark

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [LogicalShark,hdp617]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[LogicalShark]

/lgtm

[hdp617]

/cherry-pick release-1.35

[k8s-infra-cherrypick-robot]

@hdp617: #1066 failed to apply on top of branch "release-1.35":

Applying: fix: use commit SHA instead of tags for actions
Using index info to reconstruct a base tree...
M	.github/dependabot.yml
A	.github/workflows/dependabot-sync.yml
Falling back to patching base and 3-way merge...
CONFLICT (modify/delete): .github/workflows/dependabot-sync.yml deleted in HEAD and modified in fix: use commit SHA instead of tags for actions. Version fix: use commit SHA instead of tags for actions of .github/workflows/dependabot-sync.yml left in tree.
Auto-merging .github/dependabot.yml
CONFLICT (content): Merge conflict in .github/dependabot.yml
error: Failed to merge in the changes.
hint: Use 'git am --show-current-patch=diff' to see the failed patch
hint: When you have resolved this problem, run "git am --continue".
hint: If you prefer to skip this patch, run "git am --skip" instead.
hint: To restore the original branch and stop patching, run "git am --abort".
hint: Disable this message with "git config set advice.mergeConflict false"
Patch failed at 0001 fix: use commit SHA instead of tags for actions

Details

In response to this:

/cherry-pick release-1.35

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.