Restrict permissions, update actions

The actions release numbers were taken from the 3.1dev branch.

    Note: there was one strange codespell error in PR #2263.
    Maybe the updated action will avoid this in the future.

.github/workflows/docker-3.0.yml

@@ -2,7 +2,7 @@ name: docker-3.0
 
 on:
   push:
-    branches: 
+    branches:
       - 3.0
   workflow_dispatch:
   schedule:
@@ -19,36 +19,36 @@ jobs:
 
     steps:
       - name: Source checkout
-        uses: actions/checkout@v2.3.4 
- 
+        uses: actions/checkout@v3
+
       - name: Setup QEMU
         id: qemu
-        uses: docker/setup-qemu-action@v1.2.0
-      
+        uses: docker/setup-qemu-action@v2.1.0
+
       - name: Setup Buildx
         id: buildx
-        uses: docker/setup-buildx-action@v1
+        uses: docker/setup-buildx-action@v2
 
       - name: Set Docker metadata
         id: docker_meta
-        uses: docker/metadata-action@v3
+        uses: docker/metadata-action@v4
         with:
           images: ${{ github.repository }}
           labels: |
             org.opencontainers.image.version=${{ env.BUILD_VERSION }}
             org.opencontainers.image.revision=${{ github.sha }}
             org.opencontainers.image.title=${{ github.repository }}
-            
+
       - name: GitHub login
         if: ${{ github.event_name != 'pull_request' }}
-        uses: docker/login-action@v1.10.0
+        uses: docker/login-action@v2.1.0
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Build and push
-        uses: docker/build-push-action@v2.6.1
+        uses: docker/build-push-action@v3.2.0
         with:
           push: ${{ github.event_name != 'pull_request' }}
           context: .
@@ -60,3 +60,4 @@ jobs:
           labels: ${{ steps.docker_meta.outputs.labels }}
           tags: |
             ghcr.io/${{ github.repository }}:${{ env.BUILD_VERSION }}
+            ghcr.io/${{ github.repository }}:latest