Pinning to a full commit SHA is immutable, unlike a tag that can be moved to malicious code — a signed tag is still a movable ref, forking upstream is heavy-handed (and forks can update), and vendoring source is not a supported way to reference actions.
Official docs