You can sign images, and then theoretically validate those signatures; if an image changes it no longer matches the signature.

Optionally, you can tell your action to reference the docker image by sha256 hash also, in which case it's effectively immutable.