top | item 46190795

(no title)

amake | 2 months ago

> it doesn't work for transitive deps unless those are specified by SHA as well, which is out of your control

So in other words the strategy in the docs doesn't actually address the issue

discuss

There's a repository setting you can enable to prevent actions from running unless they have their version pinned to a SHA digest. This setting applies transitively, so while you can't force your dependencies to use SHA pinning for their dependencies, you can block any workflow from running if it doesn't.

nextaccountic|2 months ago

A lockfile would address this issue, with the added benefit that it would work