Add dependabot-compatible tag for each release

[jonhoo]

Currently, there's a branch per release to make it easy to select the Rust version you want. However, to improve the security posture of some projects (and reproducability of CI), I'd like to instead pin them to a specific commit, and then have dependabot automatically bump that commit (and the tag comment) when a new version is available. Dependabot understands tags like v1.2.3, but does not know what to do when there are no tags and just branches.

In other words, I want to write

uses: dtolnay/rust-toolchain@223bb27ae52e8d884432aaedb658fa4d9fc173b1 # tag=v1.72.1
  with:
    toolchain: stable

This works today, it just doesn't get auto-updated by dependabot since there are no tags.

The sad part is that this loses out on is the ability to make changes to 1.72.1 after the fact, such as if the means of installation change (i.e., the action changes), since there would be no way to indicate that such a change had been made through the tags alone. I don't have a great answer to that. One way to go about it is to have the tag instead be the version of the action (as just a simple sequence number), bump that on every new Rust release (or action change), and then have the version of Rust be chosen with toolchain:, but I don't know if that's compatible with the action's current implementation?

[zvonkok]

Agree, also highly important for reproducible builds and supply chain provenance. Using @rev for internal logic or as an argument to change behaviour will not work properly with SLSA. I also need the toolchain which is only available with @master and master is a moving target, todays build will differ from the build tomorrow.
With every merged PR we might introduce different behavour to master and break builds.