Hash pin only sensible workflows

[joycebrum]

Closes #4058

I've hash pinned only the workflows that had write permissions and configure the dependabot to run monthly. It may, from to time, suggest major updates on other workflows, but it you can use a "dependabot command" to make it not suggest that upgrade anymore.

---

Pull request checklist

Read the Contribution Guidelines for detailed information.

• Changes are described in the pull request, or an existing issue is referenced.
• The test suite compiles and runs without error.
• Code coverage is 100%. Test cases can be added by editing the test suite.
• The source code is amalgamated; that is, after making changes to the sources in the include/nlohmann directory, run make amalgamate to create the single-header files single_include/nlohmann/json.hpp and single_include/nlohmann/json_fwd.hpp. The whole process is described here.

Please don't

• The C++11 support varies between different compilers and versions. Please note the list of supported compilers. Some compilers like GCC 4.7 (and earlier), Clang 3.3 (and earlier), or Microsoft Visual Studio 13.0 and earlier are known not to work due to missing or incomplete C++11 support. Please refrain from proposing changes that work around these compiler's limitations with #ifdefs or other means.
• Specifically, I am aware of compilation problems with Microsoft Visual Studio (there even is an issue label for this kind of bug). I understand that even in 2016, complete C++11 support isn't there yet. But please also understand that I do not want to drop features or uglify the code just to make Microsoft's sub-standard compiler happy. The past has shown that there are ways to express the functionality such that the code compiles with the most recent MSVC - unfortunately, this is not the main objective of the project.
• Please refrain from proposing changes that would break JSON conformance. If you propose a conformant extension of JSON to be supported by the library, please motivate this extension.
• Please do not open pull requests that address multiple issues.

[coveralls]

coverage: 99.634%. remained the same
when pulling 2204d67 on joycebrum:develop
into 620034e on nlohmann:develop.

[nlohmann]

Now that the CI is green again on develop, can you please update this PR?

[joycebrum]

Now that the CI is green again on develop, can you please update this PR?

Sure, done!

[nlohmann]

What about the other GitHub actions in .github/workflows?

[joycebrum]

What about the other GitHub actions in .github/workflows?

Ah you mean upgrading the versions, I though it was just solving the merge conflicts, sorry.
Done too.

[nlohmann]

FYI: I used https://app.stepsecurity.io/securerepo to create #4539.

[joycebrum]

FYI: I used https://app.stepsecurity.io/securerepo to create #4539.

Nice! I'll close this then since it was already covered by #4539
One note, if you ever want to reduce the number of dependabot PRs (if it is too frequent or numerous) you can do something similar to what I suggested in this PR:

version: 2
updates:
  - package-ecosystem: github-actions
    directory: /
    schedule:
      interval: daily
    groups: # group dependency updates all in a single PR
      github-actions:
        patterns:
          - "*"

  - package-ecosystem: pip
    directory: /docs/mkdocs
    schedule:
      interval: daily
    groups:
      pypi:
        patterns: # group dependency updates all in a single PR
          - "*"

  - package-ecosystem: pip
    directory: /tools/serve_header
    schedule:
      interval: daily
    groups: # group dependency updates all in a single PR
      pip:
        patterns:
          - "*"

[nlohmann]

Sorry for the back and forth with this PR, and thanks for the hints. I did not know about pinning dependencies via hashes or how dependabot can be configured.