pin docker base images, enable dependabot to update once a week (localstack#4950)

Author: alexrashed

.github/dependabot.yml

@@ -0,0 +1,13 @@
+version: 2
+updates:
+  - package-ecosystem: "docker"
+    directory: "/"
+    schedule:
+      interval: "daily"
+    ignore:
+      - dependency-name: "python"
+        update-types: ["version-update:semver-major", "version-update:semver-minor"]
+    schedule:
+      interval: "weekly"
+      day: "monday"
+      time: "09:00"

Dockerfile

@@ -1,7 +1,7 @@
 ARG IMAGE_TYPE=full
 
 # java-builder: Stage to build a custom JRE (with jlink)
-FROM python:3.8-slim-buster as java-builder
+FROM python:3.8.12-slim-buster@sha256:d328c165606db4773f8242972ae82c2f7312478a5071090a768d0e9fc63fab51 as java-builder
 ARG TARGETARCH
 
 # install OpenJDK 11
@@ -32,7 +32,7 @@ jdk.localedata --include-locales en,th \
 
 
 # base: Stage which installs necessary runtime dependencies (OS packages, java, maven,...)
-FROM python:3.8-slim-buster as base
+FROM python:3.8.12-slim-buster@sha256:d328c165606db4773f8242972ae82c2f7312478a5071090a768d0e9fc63fab51 as base
 ARG TARGETARCH
 
 # Install runtime OS package dependencies