From 92fa6b329f588bce3f37879d5eac86f4ccfa5dcd Mon Sep 17 00:00:00 2001
From: Carl Tashian <carl@smallstep.com>
Date: Tue, 3 Mar 2026 17:24:29 -0800
Subject: [PATCH] Show unpinned actions with file:line on frizbee failure

When frizbee detects unpinned actions, the error output only says
"files were modified" with no detail. On failure, grep for the
specific unpinned uses: lines so developers know exactly what to fix.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 .github/workflows/frizbee.yml | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/frizbee.yml b/.github/workflows/frizbee.yml
index 4e81e6b..e34807b 100644
--- a/.github/workflows/frizbee.yml
+++ b/.github/workflows/frizbee.yml
@@ -23,4 +23,15 @@ jobs:
       - name: Check pinning
         env:
           GITHUB_TOKEN: ${{ github.token }}
-        run: frizbee actions --dry-run --error .github/workflows/
+        run: |
+          # Run frizbee and capture exit code
+          frizbee actions --dry-run --error .github/workflows/ && exit 0
+
+          # On failure, show exactly which actions are unpinned
+          echo ""
+          echo "The following actions are not pinned to a SHA digest:"
+          echo ""
+          grep -rn 'uses:' .github/workflows/ | grep -v '@[0-9a-f]\{40,\}' | grep -v '^#' || true
+          echo ""
+          echo "Fix with: frizbee actions .github/workflows/"
+          exit 1