Unfortunately you'd really need to use pinact run -u regularly and update your action hashes. Is there an action which does this automatically?

Yes: https://github.com/suzuki-shunsuke/pinact-action

Long story short: yes, you can pin your github action (and you should)

No, you shan't execute random code from internet (that fact that you always execute the same random code is not important)

Github actions is fine in this regards;