---

|

---

Frizbee Action

Frizbee Action helps you pin your GitHub Actions and container images to specific versions using checksums.

You can configure it to fix it all for you and open a PR with the proposed changes, fail the CI if unpinned actions are found and much more.

The action is based on the Frizbee tool, available both as a CLI and as a library - https://github.com/stacklok/frizbee

Note: This action uses a pre-built Docker image from GHCR (ghcr.io/stacklok/frizbee-action) to improve performance and reduce build time during workflow execution. The image is automatically built and published when a new release is created. Upon each release, the image reference in action.yml should be updated to the latest stable version.

Table of Contents

• Usage
• Configuration
• Contributing
• License

Usage

To use the Frizbee Action, you can use the following methods:

name: Frizbee Pinned Actions and Container Images Check

on:
  schedule:
    - cron: '0 0 * * *' # Run every day at midnight
  workflow_dispatch:

jobs:
  frizbee_check:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v4
      - uses: stacklok/frizbee-action@v0.0.5
        env:
          GITHUB_TOKEN: ${{ secrets.FRIZBEE_TOKEN }}
        with:
          actions: .github/workflows
          dockerfiles: '["./Dockerfile", "./images"]' # You can specify multiple files or directories
          kubernetes: '["./k8s"]'
          docker_compose: '["./docker"]'
          open_pr: true
          fail_on_unpinned: true

Fine-tuning the action

There are several options available to further exclude certain branches, images or actions from the check.

Exclude actions

The actions_exclude input allows you to exclude certain actions from the check. This is useful if you have actions that you don't want to pin.

with:
  actions_exclude: ["slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml"]

Default: Unset. All actions are checked.

Exclude action branches

The actions_exclude_branches input allows you to exclude certain branches from the check. The reasoning being if you refer to an action by a branch in your workflow, you want to follow that branch.

with:
  actions_exclude: ["main"]

Default: Set to * meaning that actions that are referred to by a branch are never pinned.

Exclude container images

The images_exclude input allows you to exclude certain container images from the check. This is useful if you have images that you don't want to pin.

with:
  images_exclude: ["nginx"]

Default: ["scratch"]

Exclude container image tags

The images_exclude_tags input allows you to exclude certain tags from the check. Some tags are not meant to be pinned, like latest.

with:
  images_exclude_tags: ["latest"]

Create a token

To enable the action to create a pull request (open_pr: true) , you will need to create a new token with the correct scope. This is needed because the default GITHUB_TOKEN doesn't have the necessary permissions (workflows).

To do so, go to your GitHub account, then Settings -> Developer settings -> Personal access tokens -> Fine-grained tokens -> Generate new token.

Name the Token as FRIZBEE_TOKEN and give it a description and an expiration date.

You can then assign access to All repositories or only to specific repositories.

Should you select specific repositories, you will need to add the repository where you are using the action.

Make sure the following scopes are assigned:

• The workflows scope and provide read and write access.
• The contents scope and provide read and write access.
• The pull_requests scope and provide read and write access.

Set up the Secret

Head to the repository where you are using the action, then Settings -> Secrets and variables -> Actions -> New repository secret.

Name the secret FRIZBEE_TOKEN and paste the token you created in the previous step and select Add secret.

Minder

Frizbee is also a feature of the Minder Open Source project. With Minder, you can also easily enable the automation of pinning your actions and container images. You can also do a lot more, such as monitoring your dependencies, scanning your code for vulnerabilities, and securing configuring your repositories and GitHub Actions.

If you prefer to automate all of this via a hosted service, we recommend trying out the Minder cloud from Custcodian.

Configuration

The Frizbee Action can be configured through the following inputs:

  actions:
    description: "Actions to correct"
    required: false
    default: ".github/workflows"
  dockerfiles:
    description: "Dockerfiles to correct"
    required: false
    default: "Dockerfile"
  kubernetes:
    description: "Kubernetes manifests to correct"
    required: false
    default: ""
  docker_compose:
    description: "Docker Compose files to correct"
    required: false
    default: ""
  open_pr:
    description: "Open a PR with the changes"
    required: false
    default: "true"
  fail_on_unpinned:
    description: "Fail if an unpinned action/image is found"
    required: false
    default: "false"

Release Process

To release a new version of the Frizbee Action, follow these steps:

1. Update the version in the action.yml file with the new version number you're about to release, i.e. v0.0.5.
2. Cut a new release by creating a release tagged with the new version number you just set in the action.yml file. For example, if you updated the version to v0.0.5, create a new release with the tag v0.0.5.
3. Once the release is created, the GitHub Actions workflow will automatically build the Docker image and push it to the GitHub Container Registry (GHCR).

Contributing

We welcome contributions to Frizbee Action. Please see our Contributing guide for more information.

License

Frizbee Action is licensed under the Apache 2.0 License.