ci: improve github workflows (apache#2289)

## Which issue does this PR close?

<!--
We generally require a GitHub issue to be filed for all bug fixes and
enhancements and this helps us generate change logs for our releases.
You can link an issue to this PR using the GitHub syntax. For example
`Closes apache#123` indicates that this PR will close issue apache#123.
-->

- Closes #.

## What changes are included in this PR?
Relates to apache/iceberg#15742

This PR
- Add "ASF allowlist check"
- Pin commit for codeql.yml (zizmor recommended)
- Add back Github Action auto-update for dependabot (reverts apache#2267)
- Add cooldown to dependabot (zizmor recommended)
- `Swatinem/rust-cache@v2` -> `swatinem/rust-cache@v2` (fix case
sensitivity) [asf infra allowlist uses
lowercase](https://github.com/apache/infrastructure-actions/blob/fae466bc0d9821859a623cbc7648c750ff359ec6/approved_patterns.yml#L271)

We can add back dependabot for github action because the "ASF allowlist
check" will now alert when an action is not allowed (failures will no
longer be silent)

<!--
Provide a summary of the modifications in this PR. List the main changes
such as new features, bug fixes, refactoring, or any other updates.
-->

## Are these changes tested?

<!--
Specify what test covers (unit test, integration test, etc.).

If tests are not included in your PR, please explain why (for example,
are they covered by existing tests)?
-->

(cherry picked from commit aff502d)

Author: kevinjqliu

.github/dependabot.yml

@@ -17,6 +17,15 @@
 
 version: 2
 updates:
+  # Maintain dependencies for GitHub Actions
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+      day: "sunday"
+    cooldown:
+      default-days: 7
+
   # Maintain dependencies for iceberg
   - package-ecosystem: "cargo"
     directory: "/"
@@ -35,3 +44,5 @@ updates:
         patterns:
           - "arrow*"
           - "parquet"
+    cooldown:
+      default-days: 7