TLDR
-
Frizbee is a Go CLI and library that replaces GitHub Actions and container image tags with pinned checksums for supply chain security.
Key Takeaways
-
Run
frizbee actions path/to/.github/workflows/ to bulk-replace all uses: references with digest-pinned equivalents in place.
-
frizbee image ghcr.io/stacklok/minder/server:latest returns the SHA256 digest for any container image tag.
-
Dry-run mode and non-zero exit on changes make it CI/CD-friendly for enforcement pipelines.
-
.frizbee.yml lets you exclude specific actions, branches (default: main/master), images, or tags (default: latest, scratch).
-
Available as a Go library with
replacer.NewGitHubActionsReplacer and replacer.NewContainerImagesReplacer for programmatic use.
Hacker News Comment Review
-
No substantive HN discussion yet.
Original | Discuss on HN
