CI: implement best practices and update actions

[black-sliver]

• use cooldown in dependabot config:
  • this delays opening non-security PRs by 3 days, hopefully skipping any bad updates
  • Actions currently do not support cooldown, but hopefully this will be added in the future.
• put permissions: everywhere with the minimal set of actually required permissions:
  • secrets should always be available, I think (if not we'll only see this after merging)
  • checkout and upload-artifact work with empty permissions on public repos
  • required permissions for dependency graph are copied from action documentation
• disable cache for release build - this makes it impossible to poison the cache of release builds
• update actions to latest and pin them
  • the changes look compatible
  • actions/* still use the discontinued preview of immutable actions. If immutable actions ever get completely removed, I hope actions/* will move to immutable releases (to make tags immutable)
  • the gradle/* is third party, so we pin by hash

We should probably make the maven signing/publish conditional at some point so forks can build in CI.

[cjmang]

By my reading, this looks to have been superceded twice. Firstly, in favor of https://github.com/gradle/gradle-build-action?tab=readme-ov-file#github-dependency-graph-support, and then that was replaced in favor of https://github.com/gradle/actions/blob/main/docs/setup-gradle.md.

Dunno that we need to change it right away, but eventually I guess.

[black-sliver]

I think setup-gradle replaces setup-java (and also implements submitting the dependency graph), but gradle/actions/dependency-submission seems to still be maintained.
We could switch in the future, but I am not sure if setup-gradle has any real advantage over what we are doing now.