Definitely a mixed bag. Lots of community derived actions which yes, potentially have some bad supply chain questions. I tend to try and avoid these as much as possible. Lots of established vendors also have their own actions shared though, so you don't have to reinvent the wheel when interacting with their platforms/services/products.

For instance, AWS has a lot of actions they maintain to assist with common CI/CD needs with AWS services.

https://github.com/aws-actions