In its documentation, https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-third-party-actions, GitHub recommends to pin GitHub actions to a full length commit SHA.

The Disadvantage of this is that it's more work compared to pinning actions to a tag. But it can be simplified by letting Dependabot handle the dependency upgrades.

One nice side effect is that there will be more activity to the repository. So this helps preventing scheduled GitHub Actions from becoming disabled when there is no activity for X consecutive days. Note that this is less needed by plugins in adsf-community because it seems there is a bot that generates activity every now and then (see "Update .github/CODEOWNERS" commits in https://github.com/asdf-community/asdf-graalvm/commits/master for exemple).

Should GitHub action pinning to a full length commit SHA be applied to this template repository ?

As an example, GitHub action pinning to a full length commit SHA has been applied on asdf-quarkus

Should GitHub action pinning to a full length commit SHA be applied to this template repository?

Probably. I am in the progress of re-working this repo to make it easier for people to use on GitHub. I will add this feature to that rework