Services were introduced in ros2/sros2#71 and after to the new XML policy format (ros2/sros#72); both in Crystal.
But there is still an issue related to distinguishing requests vs. responses (see ros2/sros#94).
A discussion about how to incorporate security for actions was left here. I think a good step would be to brainstorm ideas in this thread and/or open a PR to ros2/design adding a section about security to the actions document.