Better to treat it as a dependency still, but audit each new commit/release as it comes in, and pin to the exact last commit id that you verified.

I hadn't previously considered vendoring GHA dependencies, but yes, that might be a good idea. Perhaps not in all circumstances, but for anything that might be at risk of supply-chain compromise, the same arguments that apply to NPM apply to GHA.