Improvement: Add option to verify SHA pins, check for age (e.g. WARN or FAIL if over >n days old)

[ModeSevenIndustrialSolutions]

I'd be really interested to see the option to recursively pull remote actions/workflows and have their SHA sum/values checked for validity, i.e. fail if the SHA value is invalid, version has been removed/pulled, or the entire remote repository has gone away. I'd also like to see the option to pass an expiry time, so if the pinned SHA corresponds to a GIT commit (for example, over 90 days old), for this action to either WARN or FAIL.

[dbelyaev]

I’m curious about the use case for specifying an expiry time on a pinned hash.

Typically, hashes reference a specific tagged version in an action's repository, meaning they become "outdated" when a new version is released while the reference remains unchanged. However, such issues can be easily managed using Dependabot, which automatically creates update PRs when a new version of an action is available and supports pinned versions as well.