Add note about dependabot for GH action updates

[mik-laj]

[sethvargo]

Hi @mik-laj

Thank you for opening a PR. I don't see the value in recommending dependabot for this use case. If you care about specific versions and pinning, you should pin to @vx.y.z or even use a tool like Ratchet to pin to specific SHAs. If you always want the latest version with non-breaking changes, pin to @vx. Allowing a service to blindly pull in breaking changes seems like a recipe for disaster.

[mik-laj]

@sethvargo Dependabot does not modify the code in repository, but only creates a PR to notify about the update and check that it is working properly. As for SHA1, they are also supported, which means that you can use SHA1 instead of tags and dependabot will still take care of updates.