On top of that that makes it quite hard if the pinned hash actually corresponds to an actual released version of the action which could lead to the case where somebody might getting a commit hash approved that is not actually a released version. I would certainly add version comment for each action and add a validation to see if it really corresponds to the tag.
@netomi in slack
@netomi in slack