It is best practice for actions in a workflow to be pinned to a specific commit SHA rather than using the latest tag. This is because using the latest tag opens an attack vector for malicious packages to be pulled in. Some examples include:

• Upstream action publishes a commit with malicious code in it
• Upstream action does not have rules set correctly, and a malicious actor is able to publish a new tag from a private branch
• Upstream action does not have GPG signing required, and a malicious actor is able to publish a new commit that appears like an automated commit (fake dependabot/renovatebot).

With actions pinned to a specific commit, we should have dependabot update the various packages on a weekly cadence and roll the SHA forward after review from the team.