I'm not sure I follow why the "official" actions under the actions org are materially different to others? I agree they're likely to have better processes around contributions, but they are fundamentally an open contribution model with human review, and human review is fallible. Unless they had extra sandboxing, pinning requirements, materially better testing, etc, I'm not sure there's a huge difference.
However, the Linux one grabs two from third party, to GitHub, repos. These seem relatively safe, from official systems level projects — snapcraft and docker. I'm going to suggest to Codium they add a SHA to pin those, just like I would suggest they unpin GitHub Actions if they'd had them pinned. Sorry I was looking at the Mac one because I have a Mac even though the link up the thread was for Linux.
