ci: auto update pinned actions

[Florian Ruppel (fruppel)]

Replaces Dependabot for GitHub Actions with commit SHA pinning

Dependabot only supports semantic version tags and cannot pin actions to a specific commit SHA. This PR introduces two new composite actions and a scheduled workflow to fill that gap.

• check-pinned-actions — PR gate that fails if any non-Shopware action is referenced by a tag or branch instead of a full commit SHA
• update-pinned-actions — composite action that checks all actions for newer releases, updates every occurrence to the latest release's commit SHA, and opens a PR; detects potential breaking changes (major version bumps, "breaking change" keywords in release notes) and includes them in the PR description
• A scheduled workflow runs the update every Monday and Wednesday at 07:00 UTC
• Shared utilities (lib/action-utils.js) are used by both scripts to avoid duplication
• Dependabot's github-actions ecosystem is disabled as it is now superseded

[Soner (shyim)]

Why we're building our own dependabot. That will be never properly maintained by us.
I cannot validate your argument with commit sha, it's working since years in my cli repo. see example
https://github.com/shopware/shopware-cli/pull/1054/changes

[Florian Ruppel (fruppel)]

Why we're building our own dependabot. That will be never properly maintained by us. I cannot validate your argument with commit sha, it's working since years in my cli repo. see example https://github.com/shopware/shopware-cli/pull/1054/changes

Interesting... let me check that again. If it works with dependabot I don't want to implement this again :)

[Florian Ruppel (fruppel)]

Soner (@shyim) I removed the dependabot clone because you're totally right, dependabot can work with commit hashes. I just would like to keep the check if actions are pinned now.