Fixes #20180.

This PR adds dependabot to keep GitHub Actions up-to-date. It is set up to use grouped updates, so that you'll only receive a single monthly PR updating all Actions with new versions.

Note that even if this PR is merged, Bazel should still enable Dependabot Security Updates to guarantee that – if a vulnerability is found in an Action – Bazel will receive an "out-of-season" PR fixing that vulnerability as soon as possible.

I also noticed that `actions-ecosystem/action-remove-labels` (in `remove-labels.yml`) wasn't hash-pinned, so I pinned it.

Closes #20181.

PiperOrigin-RevId: 582254056
Change-Id: Ie78949fd7bb738e8bab8058f064015a6f845ac3b