[ratrocket]

Depending on your circumstances (and if the license of the action allows it) it's "easy" to fork the action and use your own fork. Instant "pinning".

[carlmr]

But how does that solve the issue with the forked action not using pinned versions itself.

You need to recursively fork and modify every version of the GHA and do that to its sub-actions.

You'd need something like a lockgile mechanism to prevent this.

[ratrocket]

Yes, that is completely true -- transitive dependencies are a problem. What I suggested only works in the simplest cases and isn't a great solution, more of a bandaid.