ci(.github): pin actions to commit-hash; set permissions at job level

[Fdawgs]

Also swap out unsafe automerge for fastify/github-action-merge-dependabot.

After what has been happening with tj-actions/changed-files over the past week this is probably a sensible idea.

See related blog post by rafaelgss about pinning to the commit-hash.

Checklist

• Commit message adheres to the Conventional commits style, following the @commitlint/config-conventional config

[github-advanced-security]

This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation.

[github-actions]

This pull request has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.