Lock down CI a little

[aDotInTheVoid]

Now zizmor isn't unhappy (even if it has lots to say when the level is cranked up):

[nix-shell:~/dev/rust/rustdoc-types-contrib]$ zizmor .
 INFO zizmor: 🌈 zizmor v1.25.2
 INFO audit: zizmor: 🌈 completed ./.github/workflows/CI.yml
 INFO audit: zizmor: 🌈 completed ./.github/workflows/release.yml
No findings to report. Good job! (6 suppressed)

[aDotInTheVoid]

CC @marcoieni who talked about doing this as the all hands "State of the Project" IIRC.

[marcoieni]

That's great, thank you! Do you want me to setup renovate to keep the github actions up to date?

[aDotInTheVoid]

Do you want me to setup renovate to keep the github actions up to date?

How important is that? I'm worried it's going to cause a load of churn/pr's for little benefit (especially with https://github.com/taiki-e/install-action/ which updates alot for each tool update).

But also, it's not up to me anymore, I've left T-Rustdoc: rust-lang/team#2523

[marcoieni]

We documented why we recommend renovate in https://forge.rust-lang.org/infra/docs/renovate.html?highlight=renovate#about-dependency-updates

The setup that works for me is updating to breaking compatible versions every month, and get breaking changes PRs immediately. For example, for install-action you will only get one per month unless they go to v3

[aDotInTheVoid]

mmmm, makes sense. Only doing one bump a month (for non breaking) seems pretty manageable.