Allow use of dependabot/fetch-metadata

[ppkarwasz]

Overview

The dependabot/fetch-metadata action retrieves metadata from a Dependabot PR. Most notably:

• It verifies that all commits in the PR are authored by Dependabot. This prevents malicious users from opening PRs that merge a Dependabot-managed branch from a fork into the base repo, which could otherwise trigger events that bypass a github.actor == 'dependabot[bot]' check.
• It parses the PR description and the latest commit.
• It exports metadata about the updated dependencies.

Name of action: dependabot/fetch-metadata
URL of action: https://github.com/dependabot/fetch-metadata
Version to pin to (hash only): ffa630c65fa7e0ecfa0625b5ceda64399aea1b36 (v3.0.0)

This is a continuation of #339.

Permissions

The action requires only read permission on contents and pull_requests. It also has an optional feature that retrieves the security alert associated with a PR, which requires a token with the security_events scope.

Checklist

You should be able to check most of these boxes for an action to be considered for review.
Please check all boxes that currently apply:

• The action is listed in the GitHub Actions Marketplace
• The action is not already on the list of approved actions
• The action has a sufficient number of contributors or has contributors within the ASF community
• The action has a clearly defined license
• The action is actively developed or maintained
• The action has CI/unit tests configured

[potiuk]

Verified with uv run utils/verify-action-build.py --from-pr 713 - recompiles nicely.

Looked at the code, nothing suspicious - and it's dependabot action, so should be rather safe - released 3 weeks ago, so I do not expect any nasty surprises.