I work with repos where all GitHub Actions are pinned by commit hash, and passlisted in the repo settings. As of #406, it is not possible to do this anymore, since it internally fetches aquasecurity/setup-trivy by tag, and there does not seem to be any way to override that. Even if skip-setup-trivy: true is set, it seems GitHub will require passlisting the tag version.