ci: pin all GitHub Actions by SHA and update via dependabot

[xopham]

Changes with this PR are:

• Add dependabot for github actions
• Pin all actions by hash

Pinning 3rd-party GitHub Actions by commit SHA makes them less vulnerable to compromise of the 3rd party. To avoid outdating and non-verbosity, versions are commented after the SHA and updating via dependabot is introduced that will automatically update the commented version tag as well.

In case of a false commit SHA, this change could break the corresponding workflow. Typically, this does not cause major interruptions, but it can for example affect a release pipeline and require restart causing delays.

Checklist

• PR author has checked that all the criteria below are met
• The PR description includes an overview of the change
• The PR description articulates the motivation for the change
• The change includes tests OR the PR description describes a testing strategy
• The PR description notes risks associated with the change, if any
• Newly-added code is easy to change
• The change follows the library release note guidelines
• The change includes or references documentation updates if necessary
• Backport labels are set (if applicable)

Reviewer Checklist

• Reviewer has checked that all the criteria below are met
• Title is accurate
• All changes are related to the pull request's stated goal
• Avoids breaking API changes
• Testing strategy adequately addresses listed risks
• Newly-added code is easy to change
• Release note makes sense to a user of the library
• If necessary, author has acknowledged and discussed the performance implications of this PR as reported in the benchmarks PR comment
• Backport labels are set in a manner that is consistent with the release branch maintenance policy

[github-actions]

CODEOWNERS have been resolved as:

.github/dependabot.yml                                                  @DataDog/python-guild @DataDog/apm-core-python
.github/workflows/backport.yml                                          @DataDog/python-guild @DataDog/apm-core-python
.github/workflows/build-and-publish-image.yml                           @DataDog/python-guild @DataDog/apm-core-python
.github/workflows/build_deploy.yml                                      @DataDog/python-guild @DataDog/apm-core-python
.github/workflows/build_python_3.yml                                    @DataDog/python-guild @DataDog/apm-core-python
.github/workflows/changelog.yml                                         @DataDog/python-guild @DataDog/apm-core-python
.github/workflows/check_old_target_branch.yml                           @DataDog/python-guild @DataDog/apm-core-python
.github/workflows/codeowners.yml                                        @DataDog/python-guild @DataDog/apm-core-python
.github/workflows/codeql-analysis.yml                                   @DataDog/python-guild @DataDog/apm-core-python
.github/workflows/django-overhead-profile.yml                           @DataDog/python-guild @DataDog/apm-core-python
.github/workflows/encoders-profile.yml                                  @DataDog/python-guild @DataDog/apm-core-python
.github/workflows/flask-overhead-profile.yml                            @DataDog/python-guild @DataDog/apm-core-python
.github/workflows/generate-package-versions.yml                         @DataDog/python-guild @DataDog/apm-core-python
.github/workflows/generate-supported-versions.yml                       @DataDog/python-guild @DataDog/apm-core-python
.github/workflows/pr-name.yml                                           @DataDog/python-guild @DataDog/apm-core-python
.github/workflows/profiling-native.yml                                  @DataDog/python-guild @DataDog/apm-core-python
.github/workflows/prune_workflow.yml                                    @DataDog/python-guild @DataDog/apm-core-python
.github/workflows/pytorch_gpu_tests.yml                                 @DataDog/python-guild @DataDog/apm-core-python
.github/workflows/require-checklist.yaml                                @DataDog/python-guild @DataDog/apm-core-python
.github/workflows/requirements-locks.yml                                @DataDog/python-guild @DataDog/apm-core-python
.github/workflows/rust-ci.yml                                           @DataDog/python-guild @DataDog/apm-core-python
.github/workflows/set-target-milestone.yml                              @DataDog/python-guild @DataDog/apm-core-python
.github/workflows/stale.yml                                             @DataDog/python-guild @DataDog/apm-core-python
.github/workflows/system-tests.yml                                      @DataDog/python-guild @DataDog/apm-core-python
.github/workflows/test_frameworks.yml                                   @DataDog/python-guild @DataDog/apm-core-python
.github/workflows/test_lib_injection.yml                                @DataDog/python-guild @DataDog/apm-core-python
.github/workflows/unit_tests.yml                                        @DataDog/python-guild @DataDog/apm-core-python
.github/workflows/upstream-issues.yml                                   @DataDog/python-guild @DataDog/apm-core-python

[datadog-dd-trace-py-rkomorn]

Datadog Report

Branch report: christoph.hamsen/pin-update-gh-actions
Commit report: 438ecba
Test service: dd-trace-py

✅ 0 Failed, 130 Passed, 1468 Skipped, 4m 39.43s Total duration (35m 42.75s time saved)

[pr-commenter]

Benchmarks

Benchmark execution time: 2025-02-03 12:34:10

Comparing candidate commit 54404c7 in PR branch christoph.hamsen/pin-update-gh-actions with baseline commit 7257296 in branch 3.x-staging.

Found 0 performance improvements and 0 performance regressions! Performance is the same for 394 metrics, 2 unstable metrics.