Hi team.

We use govulncheck-action for our internal repositories to report vulnerability.

In this August, GitHub published Require actions to be pinned to a full-length commit SHA option, and then our company decided on a policy to enable that option gradually last week.
https://github.blog/changelog/2025-08-15-github-actions-policy-now-supports-blocking-and-sha-pinning-actions/

There are some tag references in govulncheck-action/action.yml. Is there a plan to migrate them to hash?