{"id":26138391,"url":"https://github.com/stacklok/frizbee-action","last_synced_at":"2026-04-02T18:05:41.500Z","repository":{"id":243729988,"uuid":"813187538","full_name":"stacklok/frizbee-action","owner":"stacklok","description":"Frizbee Action helps you pin your GitHub Actions and container images to specific versions using checksums.","archived":false,"fork":false,"pushed_at":"2025-08-06T13:22:07.000Z","size":201,"stargazers_count":5,"open_issues_count":12,"forks_count":5,"subscribers_count":12,"default_branch":"main","last_synced_at":"2025-08-11T03:10:04.927Z","etag":null,"topics":["actions","devsecops","security-tools","supply-chain-security"],"latest_commit_sha":null,"homepage":"https://stacklok.com","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/stacklok.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2024-06-10T16:26:16.000Z","updated_at":"2025-07-21T22:39:27.000Z","dependencies_parsed_at":"2024-08-26T09:22:20.263Z","dependency_job_id":"30c8388b-adaf-4bc7-aaf4-4c5620d36c3e","html_url":"https://github.com/stacklok/frizbee-action","commit_stats":null,"previous_names":["stacklok/frizbee-action"],"tags_count":5,"template":false,"template_full_name":null,"purl":"pkg:github/stacklok/frizbee-action","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/stacklok%2Ffrizbee-action","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/stacklok%2Ffrizbee-action/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/stacklok%2Ffrizbee-action/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/stacklok%2Ffrizbee-action/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/stacklok","download_url":"https://codeload.github.com/stacklok/frizbee-action/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/stacklok%2Ffrizbee-action/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":272004303,"owners_count":24856937,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-08-25T02:00:12.092Z","response_time":1107,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["actions","devsecops","security-tools","supply-chain-security"],"created_at":"2025-03-11T01:58:02.035Z","updated_at":"2026-04-02T18:05:36.469Z","avatar_url":"https://github.com/stacklok.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"![image](https://github.com/stacklok/frizbee/assets/16540482/35034046-d962-475d-b8e2-67b7625f2a60)\n\n---\n[![License: Apache 2.0](https://img.shields.io/badge/License-Apache2.0-brightgreen.svg)](https://opensource.org/licenses/Apache-2.0) | [![](https://dcbadge.vercel.app/api/server/RkzVuTp3WK?logo=discord\u0026label=Discord\u0026color=5865\u0026style=flat)](https://discord.gg/RkzVuTp3WK)\n\n---\n# Frizbee Action\n\nFrizbee Action helps you pin your GitHub Actions and container images to specific versions using checksums.\n\nYou can configure it to fix it all for you and open a PR with the proposed changes,\nfail the CI if unpinned actions are found and much more. \n\nThe action is based on the Frizbee tool, available both as a CLI and as a library - https://github.com/stacklok/frizbee\n\n\u003e Note: This action uses a pre-built Docker image from GHCR (`ghcr.io/stacklok/frizbee-action`) to improve performance and reduce build time during workflow execution.\n\u003e The image is automatically built and published when a new release is created. Upon each release, the image reference in action.yml should be updated to the latest stable version.\n\n## Table of Contents\n\n- [Usage](#usage)\n- [Configuration](#configuration)\n- [Contributing](#contributing)\n- [License](#license)\n\n## Usage\n\nTo use the Frizbee Action, you can use the following methods:\n\n```yml\nname: Frizbee Pinned Actions and Container Images Check\n\non:\n  schedule:\n    - cron: '0 0 * * *' # Run every day at midnight\n  workflow_dispatch:\n\njobs:\n  frizbee_check:\n    runs-on: ubuntu-latest\n    steps:\n      - name: Checkout\n        uses: actions/checkout@v4\n      - uses: stacklok/frizbee-action@v0.0.5\n        env:\n          GITHUB_TOKEN: ${{ secrets.FRIZBEE_TOKEN }}\n        with:\n          actions: .github/workflows\n          dockerfiles: '[\"./Dockerfile\", \"./images\"]' # You can specify multiple files or directories\n          kubernetes: '[\"./k8s\"]'\n          docker_compose: '[\"./docker\"]'\n          open_pr: true\n          fail_on_unpinned: true\n```\n\n### Fine-tuning the action\n\nThere are several options available to further exclude certain branches, images or actions from the check.\n\n#### Exclude actions\nThe `actions_exclude` input allows you to exclude certain actions from the check. This is useful if you have actions that you don't want to pin.\n\n```yml\nwith:\n  actions_exclude: [\"slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml\"]\n```\n\nDefault: Unset. All actions are checked.\n\n#### Exclude action branches\nThe `actions_exclude_branches` input allows you to exclude certain branches from the check. The reasoning being if you refer to an action by a branch in your workflow, you want to follow that branch.\n\n```yml\nwith:\n  actions_exclude: [\"main\"]\n```\nDefault: Set to `*` meaning that actions that are referred to by a branch are never pinned.\n\n#### Exclude container images\nThe `images_exclude` input allows you to exclude certain container images from the check. This is useful if you have images that you don't want to pin.\n\n```yml\nwith:\n  images_exclude: [\"nginx\"]\n```\n\nDefault: `[\"scratch\"]`\n\n#### Exclude container image tags\nThe `images_exclude_tags` input allows you to exclude certain tags from the check. Some tags are not meant to be pinned, like `latest`.\n\n```yml\nwith:\n  images_exclude_tags: [\"latest\"]\n```\n\n### Create a token\n\nTo enable the action to create a pull request (`open_pr: true`) , you will need to create a new token with the correct scope. This is needed because the default `GITHUB_TOKEN` doesn't have the necessary permissions (`workflows`).\n\nTo do so, go to your GitHub account, then `Settings` -\u003e `Developer settings` -\u003e `Personal access tokens` -\u003e `Fine-grained tokens` -\u003e `Generate new token`.\n\nName the Token as `FRIZBEE_TOKEN` and give it a description and an expiration date.\n\nYou can then assign access to All repositories or only to specific repositories.\n\nShould you select specific repositories, you will need to add the repository\nwhere you are using the action.\n\nMake sure the following scopes are assigned:\n\n* The `workflows` scope and provide read and write access.\n* The `contents` scope and provide read and write access.\n* The `pull_requests` scope and provide read and write access.\n\n### Set up the Secret\n\nHead to the repository where you are using the action, then `Settings` -\u003e `Secrets and variables` -\u003e `Actions` -\u003e `New repository secret`.\n\nName the secret `FRIZBEE_TOKEN` and paste the token you created in the previous\nstep and select `Add secret`.\n\n#### Minder\n\nFrizbee is also a feature of the [Minder](https://github.com/mindersec/minder) Open Source project.\nWith Minder, you can also easily enable the automation of pinning your actions\nand container images. You can also do a lot more, such as monitoring your\ndependencies, scanning your code for vulnerabilities, and securing configuring\nyour repositories and GitHub Actions.\n\nIf you prefer to automate all of this via a hosted service, we recommend trying out the Minder cloud from [Custcodian](https://custcodian.dev/).\n\n## Configuration\n\nThe Frizbee Action can be configured through the following inputs:\n\n```yml\n  actions:\n    description: \"Actions to correct\"\n    required: false\n    default: \".github/workflows\"\n  dockerfiles:\n    description: \"Dockerfiles to correct\"\n    required: false\n    default: \"Dockerfile\"\n  kubernetes:\n    description: \"Kubernetes manifests to correct\"\n    required: false\n    default: \"\"\n  docker_compose:\n    description: \"Docker Compose files to correct\"\n    required: false\n    default: \"\"\n  open_pr:\n    description: \"Open a PR with the changes\"\n    required: false\n    default: \"true\"\n  fail_on_unpinned:\n    description: \"Fail if an unpinned action/image is found\"\n    required: false\n    default: \"false\"\n```\n\n## Release Process\n\nTo release a new version of the Frizbee Action, follow these steps:\n1. Update the version in the `action.yml` file with the new version number you're about to release, i.e. `v0.0.5`.\n2. Cut a new release by creating a release tagged with the new version number you just set in the `action.yml` file. For example, if you updated the version to `v0.0.5`, create a new release with the tag `v0.0.5`.\n3. Once the release is created, the GitHub Actions workflow will automatically build the Docker image and push it to the GitHub Container Registry (GHCR).\n\n## Contributing\n\nWe welcome contributions to Frizbee Action. Please see our [Contributing](./CONTRIBUTING.md) guide for more information.\n\n## License\n\nFrizbee Action is licensed under the [Apache 2.0 License](./LICENSE).\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fstacklok%2Ffrizbee-action","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fstacklok%2Ffrizbee-action","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fstacklok%2Ffrizbee-action/lists"}