Just don't use actions which pull in arbitrary npm packages without a lockfile.