build: pin GHA to commit SHAs, add workflow permissions and dependabot

[markmandel]

What type of PR is this?

Uncomment only one /kind <> line, press enter to put that in a new line, and remove leading whitespace from that line:

/kind breaking
/kind bug

/kind cleanup

/kind documentation
/kind feature
/kind hotfix
/kind release

What this PR does / Why we need it:

Pin all GitHub Actions references to immutable commit SHAs with inline version comments. Upgrade fossas/fossa-action from @main to v1.9.0. Add top-level permissions: {} to all workflow files and a missing contents: read block to fossa.yml (fixes code scanning alert #23). Add .github/dependabot.yml to enable weekly version update PRs for GitHub Actions.

This was done (a) because it's a good idea, and (b) because we kept getting malicious PRs trying to get us to point GitHub Actions to invalid SHA targets.

Which issue(s) this PR fixes:

N/A

Special notes for your reviewer:

https://docs.github.com/en/actions/reference/security/secure-use#using-third-party-actions recommends this.

[markmandel]

@lacroixthomas particularly want your eyes on this, since you've been doing more with GitHub actions, and you did the fossa bot.

[agones-bot]

Build Failed 😭

Build Id: 4475fbb5-5970-4311-a550-adc5e13cba2a

Status: FAILURE

• Cloud Build view
• Cloud Build log download

To get permission to view the Cloud Build view, join the agones-discuss Google Group.

[lacroixthomas]

Checked the SHA commits one by one, LGTM !
Also, thanks for putting the actual version it points to as a comment next to it 👌🏼

[agones-bot]

Build Failed 😭

Build Id: cadc7cd8-d51f-4571-b14e-52d60dbba4d6

Status: FAILURE

• Cloud Build view
• Cloud Build log download

To get permission to view the Cloud Build view, join the agones-discuss Google Group.

[markmandel]

Hoisted on my own linter!

[agones-bot]

Build Succeeded 🥳

Build Id: f687649c-12ea-4155-88a9-641a2df406a3

The following development artifacts have been built, and will exist for the next 30 days:

• image: us-docker.pkg.dev/agones-images/ci/agones-controller:1.59.0-dev-5bae142
• image: us-docker.pkg.dev/agones-images/ci/agones-extensions:1.59.0-dev-5bae142
• image: us-docker.pkg.dev/agones-images/ci/agones-sdk:1.59.0-dev-5bae142-linux
• image: us-docker.pkg.dev/agones-images/ci/agones-ping:1.59.0-dev-5bae142
• image: us-docker.pkg.dev/agones-images/ci/agones-allocator:1.59.0-dev-5bae142
• image: us-docker.pkg.dev/agones-images/ci/agones-processor:1.59.0-dev-5bae142
• Linux C++ SDK (build): agonessdk-1.59.0-dev-5bae142-linux-arch_64.tar.gz
• SDK Server: agonessdk-server-1.59.0-dev-5bae142.zip

A preview of the website (the last 30 builds are retained):

• https://5bae142-dot-preview-dot-agones-images.appspot.com/

To install this version:

git fetch https://github.com/googleforgames/agones.git pull/4601/head:pr_4601 && git checkout pr_4601
helm install agones ./install/helm/agones --namespace agones-system --set agones.image.registry=us-docker.pkg.dev/agones-images/ci --set agones.image.tag=1.59.0-dev-5bae142