chore: pin Docker base images, pin cargo install versions, add Dependabot (#398)

- Pin debian:bookworm-slim and rust:1.93-bookworm to digest
- Pin cargo install [email protected] [email protected] --locked
- Add Dependabot config for cargo + github-actions (weekly, 7-day cooldown)

Co-authored-by: horsefacts <[email protected]>

Author: decofe

.github/dependabot.yml

@@ -0,0 +1,15 @@
+version: 2
+updates:
+  - package-ecosystem: cargo
+    directory: /
+    schedule:
+      interval: weekly
+    cooldown:
+      default-days: 7
+
+  - package-ecosystem: github-actions
+    directory: /
+    schedule:
+      interval: weekly
+    cooldown:
+      default-days: 7

Dockerfile

@@ -16,7 +16,7 @@ RUN --mount=type=cache,target=/usr/local/cargo/registry,sharing=locked,id=cargo-
     cargo build --profile ${RUST_PROFILE} \
         --bin tempo-zone --features "jemalloc"
 
-FROM debian:bookworm-slim AS base
+FROM debian:bookworm-slim@sha256:4724b8cc51e33e398f0e2e15e18d5ec2851ff0c2280647e1310bc1642182655d AS base
 
 RUN apt-get update && apt-get install -y --no-install-recommends \
     ca-certificates \

Dockerfile.chef

@@ -1,6 +1,6 @@
-FROM rust:1.93-bookworm AS chef
+FROM rust:1.93-bookworm@sha256:7c4ae649a84014c467d79319bbf17ce2632ae8b8be123ac2fb2ea5be46823f31 AS chef
 
-RUN cargo install cargo-chef sccache
+RUN cargo install cargo-chef@0.1.77 sccache@0.14.0 --locked
 
 WORKDIR /app