Their action is also super handy: https://github.com/zizmorcore/zizmor-action

Use pinact (you can brew install it) to pin it by checksum: https://github.com/suzuki-shunsuke/pinact