| ▲ | amake a day ago | |||||||
> it doesn't work for transitive deps unless those are specified by SHA as well, which is out of your control So in other words the strategy in the docs doesn't actually address the issue | ||||||||
| ▲ | WillDaSilva a day ago | parent [-] | |||||||
There's a repository setting you can enable to prevent actions from running unless they have their version pinned to a SHA digest. This setting applies transitively, so while you can't force your dependencies to use SHA pinning for their dependencies, you can block any workflow from running if it doesn't. | ||||||||
| ||||||||