"GitHub's own security guidance recommends pinning actions to full commit SHAs as the only truly immutable way to consume an action"

Why doesn't GitHub just enforce immutable versioning for actions? If you don't want immutable releases, you don't get to publish an Action. They could decide to enforce this and mitigate this class of issue.