To get something of a lockfile you can use the hash of the version you want to pin your dependencies:

> actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744