> It is effectively security theatre.

I disagree. Security is always a trade-off.

Owning, auditing, and maintaining your entire supply chain stack is more secure than pinning hashes, but it is not practical for most projects.

Pinning your hashes is more secure than not pinning, and is close to free.

At the end of the day, the line of trust is drawn somewhere (do you audit the actions provided by GitHub?). It is not possible to write and release software without trusting some third party at some stage.

The important part is recognizing where your "points of trust" are, and making a conscious decision about what is worth doing yourself.