Merge pull request #2 from rdimitrov/implement-frizbee-action

Initial implementation of the frizbee action

.github/workflows/test.yml

@@ -0,0 +1,120 @@
+name: Test workflow for developing the frizbee-action
+on:
+  push:
+  workflow_dispatch:
+
+permissions: write-all
+
+jobs:
+  test_pr_and_fail_defaults:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+      - uses: ./ # Uses an action in the root directory
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          open_pr: true
+          fail_on_unpinned: true
+  test_pr_and_fail:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+      - uses: ./ # Uses an action in the root directory
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          actions: tests/workflows
+          dockerfiles: tests/dockerfiles
+          kubernetes: tests/k8s
+          docker_compose: tests/docker_compose
+          open_pr: true
+          fail_on_unpinned: true
+  test_pr_and_fail_again:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+      - uses: ./ # Uses an action in the root directory
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          actions: tests/workflows
+          dockerfiles: tests/dockerfiles
+          kubernetes: tests/k8s
+          docker_compose: tests/docker_compose
+          open_pr: true
+          fail_on_unpinned: true
+  test_no_pr_and_fail:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+      - uses: ./ # Uses an action in the root directory
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          actions: tests/workflows
+          dockerfiles: tests/dockerfiles
+          kubernetes: tests/k8s
+          docker_compose: tests/docker_compose
+          open_pr: false
+          fail_on_unpinned: true
+  test_no_pr_and_no_fail:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+      - uses: ./ # Uses an action in the root directory
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          actions: tests/workflows
+          dockerfiles: tests/dockerfiles
+          kubernetes: tests/k8s
+          docker_compose: tests/docker_compose
+          open_pr: false
+          fail_on_unpinned: false
+  test_no_pr_and_no_fail_no_actions:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+      - uses: ./ # Uses an action in the root directory
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          actions: ""
+          dockerfiles: "."
+          kubernetes: ""
+          docker_compose: ""
+          open_pr: false
+          fail_on_unpinned: false
+  test_no_pr_and_no_fail_default:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+      - uses: ./ # Uses an action in the root directory
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          open_pr: false
+          fail_on_unpinned: false
+  test_no_pr_and_no_fail_conflict:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+      - uses: ./ # Uses an action in the root directory
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          actions: ""
+          dockerfiles: "."
+          kubernetes: "."
+          docker_compose: "."
+          open_pr: false
+          fail_on_unpinned: false

.gitignore

@@ -42,3 +42,5 @@ Thumbs.db
 
 # asdf
 .tool-versions
+
+frizbee-action

CONTRIBUTING.md

@@ -0,0 +1,48 @@
+
+# Contributing to Frizbee Action
+First off, thank you for taking the time to contribute to Frizbee Action! :+1: :tada: Frizbee Action is released under the Apache 2.0 license. If you would like to contribute something or want to hack on the code, this document should help you get started. You can find some hints for starting development in Frizbee's  [README](https://github.com/stacklok/frizbee-action/blob/main/README.md).
+
+## Table of contents 
+- [Code of Conduct](#code-of-conduct)
+- [Reporting Security Vulnerabilities](#reporting-security-vulnerabilities)
+- [How to Contribute](#how-to-contribute)
+  - [Sign the Contributor License Agreement](#sign-the-contributor-license-agreement)
+  - [Using GitHub Issues](#using-github-issues)
+  - [Not sure how to start contributing...](#not-sure-how-to-start-contributing)
+  - [Pull Request Process](#pull-request-process)
+  - [Contributing to docs](#contributing-to-docs)
+  - [Commit Message Guidelines](#commit-message-guidelines)
+
+
+## Code of Conduct
+This project adheres to the [Contributor Covenant](https://github.com/stacklok/frizbee/blob/main/CODE_OF_CONDUCT.md) code of conduct. By participating, you are expected to uphold this code. Please report unacceptable behavior to [email protected].
+
+## Reporting Security Vulnerabilities
+
+If you think you have found a security vulnerability in Frizbee please DO NOT disclose it publicly until we’ve had a chance to fix it. Please don’t report security vulnerabilities using GitHub issues; instead, please follow this [process](https://github.com/stacklok/frizbee/blob/main/SECURITY.md)
+
+## How to Contribute
+
+### Using GitHub Issues
+We use GitHub issues to track bugs and enhancements. If you have a general usage question, please ask in [Frizbee's discussion forum](https://discord.com/invite/RkzVuTp3WK). 
+
+If you are reporting a bug, please help to speed up problem diagnosis by providing as much information as possible. Ideally, that would include a small sample project that reproduces the problem.
+
+### Sign the Contributor License Agreement
+Before we accept a non-trivial patch or pull request, we will need you to sign the [Contributor License Agreement](https://github.com/stacklok/frizbee). Signing the contributor’s agreement does not grant anyone commit rights to the main repository, but it does mean that we can accept your contributions, and you will get an author credit if we do. Active contributors might be asked to join the core team and given the ability to merge pull requests.
+
+### Not sure how to start contributing...
+PRs to resolve existing issues are greatly appreciated and issues labeled as ["good first issue"](https://github.com/stacklok/frizbee/issues?q=is%3Aopen+is%3Aissue+label%3A%22good+first+issue%22) are a great place to start!
+
+### Pull Request Process
+* Create an issue outlining the fix or feature.
+* Fork the Frizbee Action repository to your own GitHub account and clone it locally.
+* Hack on your changes.
+* Correctly format your commit messages, see [Commit Message Guidelines](#Commit-Message-Guidelines) below.
+* Open a PR by ensuring the title and its description reflect the content of the PR.
+* Ensure that CI passes, if it fails, fix the failures.
+* Every pull request requires a review from the core Frizbee Action team before merging.
+* Once approved, all of your commits will be squashed into a single commit with your PR title.
+
+### Commit Message Guidelines
+We follow the commit formatting recommendations found on [Chris Beams' How to Write a Git Commit Message article](https://chris.beams.io/posts/git-commit/).

Dockerfile

@@ -1,5 +1,4 @@
 FROM golang:alpine3.19@sha256:0466223b8544fb7d4ff04748acc4d75a608234bf4e79563bff208d2060c0dd79
-RUN apk add git 
 
 COPY . /home/src
 WORKDIR /home/src

README.md

@@ -1,2 +1,96 @@
+![image](https://github.com/stacklok/frizbee/assets/16540482/35034046-d962-475d-b8e2-67b7625f2a60)
+
+---
+[![License: Apache 2.0](https://img.shields.io/badge/License-Apache2.0-brightgreen.svg)](https://opensource.org/licenses/Apache-2.0) | [![](https://dcbadge.vercel.app/api/server/RkzVuTp3WK?logo=discord&label=Discord&color=5865&style=flat)](https://discord.gg/RkzVuTp3WK)
+
+---
 # Frizbee Action
 
+Frizbee Action helps you pin your GitHub Actions and container images to specific versions using checksums.
+
+You can configure it to fix it all for you and open a PR with the proposed changes,
+fail the CI if unpinned actions are found and much more. 
+
+The action is based on the Frizbee tool, available both as a CLI and as a library - https://github.com/stacklok/frizbee
+
+## Table of Contents
+
+- [Usage](#usage)
+- [Configuration](#configuration)
+- [Contributing](#contributing)
+- [License](#license)
+
+## Usage
+
+To use the Frizbee Action, you can use the following methods:
+
+```bash
+name: Frizbee Pinned Actions and Container Images Check
+
+on:
+  schedule:
+    - cron: '0 0 * * *' # Run every day at midnight
+  workflow_dispatch:
+
+jobs:
+  frizbee_check:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+      - uses: stacklok/[email protected]
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          actions: .github/workflows
+          dockerfiles: ./docker
+          kubernetes: ./k8s
+          docker_compose: ./docker
+          open_pr: true
+          fail_on_unpinned: true
+```
+
+## Configuration
+
+The Frizbee Action can be configured through the following inputs:
+
+```yml
+  actions:
+    description: "Actions to correct"
+    required: false
+    default: ".github/workflows"
+  dockerfiles:
+    description: "Dockerfiles to correct"
+    required: false
+    default: "Dockerfile"
+  kubernetes:
+    description: "Kubernetes manifests to correct"
+    required: false
+    default: ""
+  docker_compose:
+    description: "Docker Compose files to correct"
+    required: false
+    default: ""
+  open_pr:
+    description: "Open a PR with the changes"
+    required: false
+    default: "true"
+  fail_on_unpinned:
+    description: "Fail if an unpinned action/image is found"
+    required: false
+    default: "false"
+```
+
+### Limitations
+
+The default `GITHUB_TOKEN` doesn't have the necessary permissions (`workflows`) to open a PR. 
+In case you want to use the `open_pr` feature, you will need to create a new token with the correct scope, add it as a secret
+and pass it to the action through the `GITHUB_TOKEN` environment variable.
+
+## Contributing
+
+We welcome contributions to Frizbee Action. Please see our [Contributing](./CONTRIBUTING.md) guide for more information.
+
+## License
+
+Frizbee is licensed under the [Apache 2.0 License](./LICENSE).

action.yml

@@ -5,10 +5,30 @@ branding:
   icon: "at-sign"
   color: "green"
 inputs:
-  GITHUB_TOKEN:
-    description: "GitHub token"
-    required: true
-
+  actions:
+    description: "Actions to correct"
+    required: false
+    default: ".github/workflows"
+  dockerfiles:
+    description: "Dockerfiles to correct"
+    required: false
+    default: "Dockerfile"
+  kubernetes:
+    description: "Kubernetes manifests to correct"
+    required: false
+    default: ""
+  docker_compose:
+    description: "Docker Compose files to correct"
+    required: false
+    default: ""
+  open_pr:
+    description: "Open a PR with the changes"
+    required: false
+    default: "true"
+  fail_on_unpinned:
+    description: "Fail if an unpinned action/image is found"
+    required: false
+    default: "false"
 runs:
   using: "docker"
   image: "Dockerfile"

go.mod

@@ -3,8 +3,54 @@ module github.com/stacklok/frizbee-action
 go 1.22.1
 
 require (
+	github.com/deckarep/golang-set/v2 v2.6.0
+	github.com/go-git/go-billy/v5 v5.5.0
+	github.com/go-git/go-git/v5 v5.12.0
 	github.com/google/go-github/v60 v60.0.0
+	github.com/stacklok/frizbee v0.0.19
 	golang.org/x/oauth2 v0.21.0
 )
 
-require github.com/google/go-querystring v1.1.0 // indirect
+require (
+	dario.cat/mergo v1.0.0 // indirect
+	github.com/Microsoft/go-winio v0.6.1 // indirect
+	github.com/ProtonMail/go-crypto v1.0.0 // indirect
+	github.com/cloudflare/circl v1.3.7 // indirect
+	github.com/containerd/stargz-snapshotter/estargz v0.14.3 // indirect
+	github.com/cyphar/filepath-securejoin v0.2.4 // indirect
+	github.com/docker/cli v24.0.0+incompatible // indirect
+	github.com/docker/distribution v2.8.2+incompatible // indirect
+	github.com/docker/docker v24.0.9+incompatible // indirect
+	github.com/docker/docker-credential-helpers v0.7.0 // indirect
+	github.com/emirpasic/gods v1.18.1 // indirect
+	github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 // indirect
+	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
+	github.com/google/go-containerregistry v0.19.1 // indirect
+	github.com/google/go-github/v61 v61.0.0 // indirect
+	github.com/google/go-querystring v1.1.0 // indirect
+	github.com/inconshreveable/mousetrap v1.1.0 // indirect
+	github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 // indirect
+	github.com/kevinburke/ssh_config v1.2.0 // indirect
+	github.com/klauspost/compress v1.16.5 // indirect
+	github.com/mitchellh/go-homedir v1.1.0 // indirect
+	github.com/opencontainers/go-digest v1.0.0 // indirect
+	github.com/opencontainers/image-spec v1.1.0-rc3 // indirect
+	github.com/pjbgf/sha1cd v0.3.0 // indirect
+	github.com/pkg/errors v0.9.1 // indirect
+	github.com/puzpuzpuz/xsync v1.5.2 // indirect
+	github.com/sergi/go-diff v1.3.2-0.20230802210424-5b0b94c5c0d3 // indirect
+	github.com/sirupsen/logrus v1.9.1 // indirect
+	github.com/skeema/knownhosts v1.2.2 // indirect
+	github.com/spf13/cobra v1.8.0 // indirect
+	github.com/spf13/pflag v1.0.5 // indirect
+	github.com/vbatts/tar-split v0.11.3 // indirect
+	github.com/xanzy/ssh-agent v0.3.3 // indirect
+	golang.org/x/crypto v0.21.0 // indirect
+	golang.org/x/mod v0.12.0 // indirect
+	golang.org/x/net v0.22.0 // indirect
+	golang.org/x/sync v0.7.0 // indirect
+	golang.org/x/sys v0.18.0 // indirect
+	golang.org/x/tools v0.13.0 // indirect
+	gopkg.in/warnings.v0 v0.1.2 // indirect
+	gopkg.in/yaml.v3 v3.0.1 // indirect
+)