Pin Dependencies tool select not official release tags

[joycebrum]

Hi, I'd like to provide a feedback to improve even more the step security tool.

I believe it would be best if the pin deps tool only select tags from official github releases.

In this case https://github.com/actions-rs/cargo the project were using only @v1 and, using the tool it changed to the commit hash of the v1.0.3 tag. But the latest release of cargo is the v1.0.1 so perhaps the pin deps tool should select the v1.0.1 commit hash instead.

Thanks!