Github Actions updates and setup dependabot (#8624)

* github: actions/checkout v2 -> v3

* github: actions/cache v2 -> v3

* github: actions/setup-python v2 -> v4

* github: dependabot for actions

* github: 'restricted' mode for token permissions

noticed at https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions

whenever external action uses our token, overall workflow 'permissions:' apply
https://docs.github.com/en/actions/security-guides/automatic-token-authentication
https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token

ref. apps documentation to understand which permissions API endpoints need
https://docs.github.com/en/rest/overview/permissions-required-for-github-apps

* missed tag-to-draft action

.github/dependabot.yml

@@ -0,0 +1,11 @@
+# see https://docs.github.com/en/code-security/dependabot/working-with-dependabot/keeping-your-actions-up-to-date-with-dependabot
+# make sure our actions stay up-to-date and we know about any updates.
+# most of the time, this happens for major releases.
+# (...unless we stop using version tags and switch to hashes...)
+
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"

.github/workflows/pull-request.yml

@@ -9,6 +9,10 @@ on:
   pull_request:
 
 
+permissions:
+  contents: read
+
+
 jobs:
 
 # Run 8 parallel jobs for the default build of all examples.
@@ -22,15 +26,15 @@ jobs:
       matrix:
         chunk: [0, 1, 2, 3, 4, 5, 6, 7]
     steps:
-    - uses: actions/checkout@v2
+    - uses: actions/checkout@v3
       with:
         submodules: true
-    - uses: actions/setup-python@v2
+    - uses: actions/setup-python@v4
       with:
         python-version: '3.x'
     - name: Cache Linux toolchain
       id: cache-linux
-      uses: actions/cache@v2
+      uses: actions/cache@v3
       with:
         path: ./tools/dist
         key: ${{ runner.os }}-${{ hashFiles('package/package_esp8266com_index.template.json', 'tests/common.sh') }}
@@ -57,15 +61,15 @@ jobs:
       matrix:
         chunk: [0, 1, 2, 3, 4, 5, 6, 7]
     steps:
-    - uses: actions/checkout@v2
+    - uses: actions/checkout@v3
       with:
         submodules: true
-    - uses: actions/setup-python@v2
+    - uses: actions/setup-python@v4
       with:
         python-version: '3.x'
     - name: Cache Linux toolchain
       id: cache-linux
-      uses: actions/cache@v2
+      uses: actions/cache@v3
       with:
         path: ./tools/dist
         key: ${{ runner.os }}-${{ hashFiles('package/package_esp8266com_index.template.json', 'tests/common.sh') }}
@@ -85,15 +89,15 @@ jobs:
     name: Windows
     runs-on: windows-latest
     steps:
-    - uses: actions/checkout@v2
+    - uses: actions/checkout@v3
       with:
         submodules: true
-    - uses: actions/setup-python@v2
+    - uses: actions/setup-python@v4
       with:
         python-version: '3.x'
     - name: Cache Windows toolchain
       id: cache-windows
-      uses: actions/cache@v2
+      uses: actions/cache@v3
       with:
         path: ./tools/dist
         key: ${{ runner.os }}-${{ hashFiles('package/package_esp8266com_index.template.json', 'tests/common.sh') }}
@@ -120,15 +124,15 @@ jobs:
       run:
         shell: bash
     steps:
-    - uses: actions/checkout@v2
+    - uses: actions/checkout@v3
       with:
         submodules: true
-    - uses: actions/setup-python@v2
+    - uses: actions/setup-python@v4
       with:
         python-version: '3.x'
     - name: Cache Mac toolchain
       id: cache-mac
-      uses: actions/cache@v2
+      uses: actions/cache@v3
       with:
         path: ./tools/dist
         key: ${{ runner.os }}-${{ hashFiles('package/package_esp8266com_index.template.json', 'tests/common.sh') }}
@@ -152,10 +156,10 @@ jobs:
       run:
         shell: bash
     steps:
-    - uses: actions/checkout@v2
+    - uses: actions/checkout@v3
       with:
         submodules: true
-    - uses: actions/setup-python@v2
+    - uses: actions/setup-python@v4
       with:
         python-version: '3.x'
     - name: Build subset on Platform.IO
@@ -179,10 +183,10 @@ jobs:
       run:
         shell: bash
     steps:
-    - uses: actions/checkout@v2
+    - uses: actions/checkout@v3
       with:
         submodules: true
-    - uses: actions/setup-python@v2
+    - uses: actions/setup-python@v4
       with:
         python-version: '3.x'
     - name: Run host tests
@@ -203,10 +207,10 @@ jobs:
       run:
         shell: bash
     steps:
-    - uses: actions/checkout@v2
+    - uses: actions/checkout@v3
       with:
         submodules: true
-    - uses: actions/setup-python@v2
+    - uses: actions/setup-python@v4
       with:
         python-version: '3.x'
     - name: Build documentation
@@ -230,10 +234,10 @@ jobs:
       run:
         shell: bash
     steps:
-    - uses: actions/checkout@v2
+    - uses: actions/checkout@v3
       with:
         submodules: true
-    - uses: actions/setup-python@v2
+    - uses: actions/setup-python@v4
       with:
         python-version: '3.x'
     - name: Style check
@@ -264,10 +268,10 @@ jobs:
       run:
         shell: bash
     steps:
-    - uses: actions/checkout@v2
+    - uses: actions/checkout@v3
       with:
         submodules: true
-    - uses: actions/setup-python@v2
+    - uses: actions/setup-python@v4
       with:
         python-version: '3.x'
     - name: Mock build
@@ -286,15 +290,15 @@ jobs:
       run:
         shell: bash
     steps:
-    - uses: actions/checkout@v2
+    - uses: actions/checkout@v3
       with:
         submodules: true
-    - uses: actions/setup-python@v2
+    - uses: actions/setup-python@v4
       with:
         python-version: '3.x'
     - name: Cache Linux toolchain
       id: cache-linux
-      uses: actions/cache@v2
+      uses: actions/cache@v3
       with:
         path: ./tools/dist
         key: ${{ runner.os }}-${{ hashFiles('package/package_esp8266com_index.template.json', 'tests/common.sh') }}
@@ -316,7 +320,7 @@ jobs:
       run:
         shell: bash
     steps:
-    - uses: actions/checkout@v2
+    - uses: actions/checkout@v3
       with:
         submodules: true
     - name: Run codespell

.github/workflows/release-to-publish.yml

@@ -28,6 +28,9 @@ on:
   release:
     types: [published]
 
+permissions:
+  contents: read
+
 jobs:
   package:
     name: Update master JSON file
@@ -36,7 +39,7 @@ jobs:
       run:
         shell: bash
     steps:
-    - uses: actions/checkout@v2
+    - uses: actions/checkout@v3
       with:
         submodules: false
         fetch-depth: 0

.github/workflows/tag-to-draft-release.yml

@@ -18,11 +18,11 @@ jobs:
       run:
         shell: bash
     steps:
-    - uses: actions/checkout@v2
+    - uses: actions/checkout@v3
       with:
         submodules: true
         fetch-depth: 0
-    - uses: actions/setup-python@v2
+    - uses: actions/setup-python@v4
       with:
         python-version: '3.x'
     - name: Set GIT tag name