Follow the recent compromise of tj-actions/changed-files, it would be a good idea to pin GitHub actions in this repo to specific commit hashes to ensure a known version of each action is used, mitigating the risk of a supply chain attack through malicious updates.

See related blog post by rafaelgss about pinning to the commit-hash.

Happy to make a PR for this.