DOC: Advocate for using action from tagged release commit SHAs

* For security best practices, advocate that users of the action use it
  from known commit SHAs that correspond to tagged releases.
* Advocate that users use a Dependabot config file to update the action
  on new tags. This will bump the commit SHA and also bump the release
  tag in the comment of the commit SHA.
   - c.f. https://learn.scientific-python.org/development/guides/gha_basic/#updating

Author: matthewfeickert

README.md

@@ -11,12 +11,25 @@ jobs:
   steps:
     ...
     - name: Upload wheel
-      uses: scientific-python/upload-nightly-action@main
+      uses: scientific-python/upload-nightly-action@8f0394fd2aa0c85d7364a9958652e8994e06b23c # 0.1.0
       with:
         artifacts_path: dist
         anaconda_nightly_upload_token: ${{secrets.UPLOAD_TOKEN}}
 ```
 
+It is [recommended that Dependabot is used][] to keep the GitHub Action updated
+to the latest release by using a `.github/dependabot.yml` config file similar to
+
+```yaml
+version: 2
+updates:
+  # Maintain dependencies for GitHub Actions
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+```
+
 To request access to the repository please open an issue on [this action
 repository](https://github.com/scientific-python/upload-nightly-action). You can
 then generate a token at `https://anaconda.org/scientific-python-nightly-wheels/settings/access`
@@ -60,6 +73,6 @@ dependencies:
     - --pre --index-url https://pypi.anaconda.org/scientific-python-nightly-wheels/simple --extra-index-url https://pypi.org/simple
     - matplotlib
 ```
-
+[recommended that Dependabot is used]: https://learn.scientific-python.org/development/guides/gha_basic/#updating
 [nightly package index]: https://anaconda.org/scientific-python-nightly-wheels
 [PyPI]: https://pypi.org/