From 4f968d15af1d3eb576953ebbb42eb6a964848d1e Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jakub@stacklok.com>
Date: Tue, 18 Jun 2024 22:40:34 +0200
Subject: [PATCH] Exposed more configuration options of the library to the
 action

We hope that the defaults would satisfy more users, but they might want
to tweak the exclusion rules to their liking.
---
 README.md | 41 +++++++++++++++++++++++++++++++++++++++++
 main.go   | 32 +++++++++++++++++++++++++++-----
 2 files changed, 68 insertions(+), 5 deletions(-)

diff --git a/README.md b/README.md
index 8a63c29..582f36b 100644
--- a/README.md
+++ b/README.md
@@ -50,6 +50,47 @@ jobs:
           fail_on_unpinned: true
 ```
 
+### Fine-tuning the action
+
+There are several options available to further exclude certain branches, images or actions from the check.
+
+#### Exclude actions
+The `actions_exclude` input allows you to exclude certain actions from the check. This is useful if you have actions that you don't want to pin.
+
+```yml
+with:
+  actions_exclude: ["slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml"]
+```
+
+Default: Unset. All actions are checked.
+
+#### Exclude action branches
+The `actions_exclude_branches` input allows you to exclude certain branches from the check. The reasoning being if you refer to an action by a branch in your workflow, you want to follow that branch.
+
+```yml
+with:
+  actions_exclude: ["main"]
+```
+Default: Set to `*` meaning that actions that are referred to by a branch are never pinned.
+
+#### Exclude container images
+The `images_exclude` input allows you to exclude certain container images from the check. This is useful if you have images that you don't want to pin.
+
+```yml
+with:
+  images_exclude: ["nginx"]
+```
+
+Default: `["scratch"]`
+
+#### Exclude container image tags
+The `images_exclude_tags` input allows you to exclude certain tags from the check. Some tags are not meant to be pinned, like `latest`.
+
+```yml
+with:
+  images_exclude_tags: ["latest"]
+```
+
 ### Create a token
 
 To enable the action to create a pull request (`open_pr: true`) , you will need to create a new token with the correct scope. This is needed because the default `GITHUB_TOKEN` doesn't have the necessary permissions (`workflows`).
diff --git a/main.go b/main.go
index b12ebe9..74be470 100644
--- a/main.go
+++ b/main.go
@@ -85,6 +85,24 @@ func initAction(ctx context.Context) (*action.FrizbeeAction, error) {
 		return nil, fmt.Errorf("failed to clone repository: %w", err)
 	}
 
+	cfg := config.DefaultConfig()
+	excludeActions := os.Getenv("INPUT_ACTIONS_EXCLUDE")
+	if excludeActions != "" {
+		cfg.GHActions.Exclude = valToStrings(excludeActions)
+	}
+	excludeBranches := os.Getenv("INPUT_ACTIONS_EXCLUDE_BRANCHES")
+	if excludeBranches != "" {
+		cfg.GHActions.ExcludeBranches = valToStrings(excludeBranches)
+	}
+	excludeImages := os.Getenv("INPUT_IMAGES_EXCLUDE")
+	if excludeImages != "" {
+		cfg.Images.ExcludeImages = valToStrings(excludeImages)
+	}
+	excludeTags := os.Getenv("INPUT_IMAGES_EXCLUDE_TAGS")
+	if excludeTags != "" {
+		cfg.Images.ExcludeTags = valToStrings(excludeTags)
+	}
+
 	// Read the action settings from the environment and create the new frizbee replacers for actions and images
 	return &action.FrizbeeAction{
 		Client:    github.NewClient(tc),
@@ -99,8 +117,8 @@ func initAction(ctx context.Context) (*action.FrizbeeAction, error) {
 
 		OpenPR:          os.Getenv("INPUT_OPEN_PR") == "true",
 		FailOnUnpinned:  os.Getenv("INPUT_FAIL_ON_UNPINNED") == "true",
-		ActionsReplacer: replacer.NewGitHubActionsReplacer(config.DefaultConfig()).WithGitHubClientFromToken(token),
-		ImagesReplacer:  replacer.NewContainerImagesReplacer(config.DefaultConfig()),
+		ActionsReplacer: replacer.NewGitHubActionsReplacer(cfg).WithGitHubClientFromToken(token),
+		ImagesReplacer:  replacer.NewContainerImagesReplacer(cfg),
 		BFS:             fs,
 		Repo:            repo,
 	}, nil
@@ -125,14 +143,18 @@ func cloneRepository(url, owner, accessToken string) (billy.Filesystem, *git.Rep
 }
 
 func envToStrings(env string) []string {
+	return valToStrings(os.Getenv(env))
+}
+
+func valToStrings(val string) []string {
 	var vals []string
 
-	if env == "" {
+	if val == "" {
 		return []string{}
 	}
 
-	if err := json.Unmarshal([]byte(os.Getenv(env)), &vals); err != nil {
-		log.Printf("Error unmarshalling %s: %v", env, err)
+	if err := json.Unmarshal([]byte(val), &vals); err != nil {
+		log.Printf("Error unmarshalling %s: %v", val, err)
 		return []string{}
 	}