Comment by WillDaSilva
6 days ago
There's a repository setting you can enable to prevent actions from running unless they have their version pinned to a SHA digest. This setting applies transitively, so while you can't force your dependencies to use SHA pinning for their dependencies, you can block any workflow from running if it doesn't.
A lockfile would address this issue, with the added benefit that it would work