Merge pull request #26 from jhrozek/new_frizbee_config

Exposed more configuration options of the library to the action

README.md

@@ -50,6 +50,47 @@ jobs:
           fail_on_unpinned: true
 ```
 
+### Fine-tuning the action
+
+There are several options available to further exclude certain branches, images or actions from the check.
+
+#### Exclude actions
+The `actions_exclude` input allows you to exclude certain actions from the check. This is useful if you have actions that you don't want to pin.
+
+```yml
+with:
+  actions_exclude: ["slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml"]
+```
+
+Default: Unset. All actions are checked.
+
+#### Exclude action branches
+The `actions_exclude_branches` input allows you to exclude certain branches from the check. The reasoning being if you refer to an action by a branch in your workflow, you want to follow that branch.
+
+```yml
+with:
+  actions_exclude: ["main"]
+```
+Default: Set to `*` meaning that actions that are referred to by a branch are never pinned.
+
+#### Exclude container images
+The `images_exclude` input allows you to exclude certain container images from the check. This is useful if you have images that you don't want to pin.
+
+```yml
+with:
+  images_exclude: ["nginx"]
+```
+
+Default: `["scratch"]`
+
+#### Exclude container image tags
+The `images_exclude_tags` input allows you to exclude certain tags from the check. Some tags are not meant to be pinned, like `latest`.
+
+```yml
+with:
+  images_exclude_tags: ["latest"]
+```
+
 ### Create a token
 
 To enable the action to create a pull request (`open_pr: true`) , you will need to create a new token with the correct scope. This is needed because the default `GITHUB_TOKEN` doesn't have the necessary permissions (`workflows`).

main.go

@@ -85,6 +85,24 @@ func initAction(ctx context.Context) (*action.FrizbeeAction, error) {
 		return nil, fmt.Errorf("failed to clone repository: %w", err)
 	}
 
+	cfg := config.DefaultConfig()
+	excludeActions := os.Getenv("INPUT_ACTIONS_EXCLUDE")
+	if excludeActions != "" {
+		cfg.GHActions.Exclude = valToStrings(excludeActions)
+	}
+	excludeBranches := os.Getenv("INPUT_ACTIONS_EXCLUDE_BRANCHES")
+	if excludeBranches != "" {
+		cfg.GHActions.ExcludeBranches = valToStrings(excludeBranches)
+	}
+	excludeImages := os.Getenv("INPUT_IMAGES_EXCLUDE")
+	if excludeImages != "" {
+		cfg.Images.ExcludeImages = valToStrings(excludeImages)
+	}
+	excludeTags := os.Getenv("INPUT_IMAGES_EXCLUDE_TAGS")
+	if excludeTags != "" {
+		cfg.Images.ExcludeTags = valToStrings(excludeTags)
+	}
+
 	// Read the action settings from the environment and create the new frizbee replacers for actions and images
 	return &action.FrizbeeAction{
 		Client:    github.NewClient(tc),
@@ -99,8 +117,8 @@ func initAction(ctx context.Context) (*action.FrizbeeAction, error) {
 
 		OpenPR:          os.Getenv("INPUT_OPEN_PR") == "true",
 		FailOnUnpinned:  os.Getenv("INPUT_FAIL_ON_UNPINNED") == "true",
-		ActionsReplacer: replacer.NewGitHubActionsReplacer(config.DefaultConfig()).WithGitHubClientFromToken(token),
-		ImagesReplacer:  replacer.NewContainerImagesReplacer(config.DefaultConfig()),
+		ActionsReplacer: replacer.NewGitHubActionsReplacer(cfg).WithGitHubClientFromToken(token),
+		ImagesReplacer:  replacer.NewContainerImagesReplacer(cfg),
 		BFS:             fs,
 		Repo:            repo,
 	}, nil
@@ -125,14 +143,18 @@ func cloneRepository(url, owner, accessToken string) (billy.Filesystem, *git.Rep
 }
 
 func envToStrings(env string) []string {
+	return valToStrings(os.Getenv(env))
+}
+
+func valToStrings(val string) []string {
 	var vals []string
 
-	if env == "" {
+	if val == "" {
 		return []string{}
 	}
 
-	if err := json.Unmarshal([]byte(os.Getenv(env)), &vals); err != nil {
-		log.Printf("Error unmarshalling %s: %v", env, err)
+	if err := json.Unmarshal([]byte(val), &vals); err != nil {
+		log.Printf("Error unmarshalling %s: %v", val, err)
 		return []string{}
 	}