You can solve that by pinning commit hashes, so that nobody can change the code of the actions you use without your consent. You can then use Dependabot to automatically get PRs to update to the latest version of each action when it comes out. You still get the chance to review each PR before it goes in.

I wish GitHub would implement a security setting requiring repositories to do this within an organization.