Set up JFrog CLI in your GitHub Actions workflow
This GitHub Action downloads, installs and configures JFrog CLI, so that it can be used as part of the workflow.
Additionally, the Action incorporates the following features when utilizing JFrog CLI to interact with the JFrog Platform:
- uses: jfrog/setup-jfrog-cli@v4
- run: jf --version
JFrog CLI operates in conjunction with the JFrog Platform. In order to facilitate this connection, certain connection details of the JFrog Platform must be provided. There exist two methods to provide these details, and you only need to choose one method:
You can choose one of the following two methods to set the connection details to the JFrog Platform as secrets:
The connection details of the JFrog platform used by JFrog CLI can be stored as secrets. You can use one of the following two methods to define and store the JFrog Platform connection details as secrets.
You can set the connection details to your JFrog Platform by using one of the following environment variables combinations:
You can use these environment variables in your workflow as follows:
- uses: jfrog/setup-jfrog-cli@v4
env:
# JFrog platform url (for example: https://acme.jfrog.io)
JF_URL: ${{ secrets.JF_URL }}
# Basic authentication credentials
JF_USER: ${{ secrets.JF_USER }}
JF_PASSWORD: ${{ secrets.JF_PASSWORD }}
or
# JFrog Platform access token
JF_ACCESS_TOKEN: ${{ secrets.JF_ACCESS_TOKEN }}
- run: |
jf rt ping
Important: If both Config Token(JF_ENV_* ) and separate environment variables(JF_URL , ...) are provided, the default config will be the Config Token. To make the above separate environment variables as the default config use jf c use setup-jfrog-cli-server |
---|
jf -v
.jf c add
.jf c export <SERVER ID>
.To use the saved JFrog platform configuration in the workflow, all you need to do it to expose the secret to the workflow. The secret should be exposed as an environment variable with the JFENV prefix. Here's how you do this:
- uses: jfrog/setup-jfrog-cli@v4
env:
JF_ENV_1: ${{ secrets.JF_SECRET_ENV_1 }}
- run: |
# Ping the server
jf rt ping
As you can see in the example above, we created a secret named JF_SECRET_ENV_1 and exposed it to the workflow as the JF_ENV_1 environment variable. That's it - the ping command will now ping the configured Artifactory server.
If you have multiple Config Tokens as secrets, you can use all of them in the workflow as follows:
- uses: jfrog/setup-jfrog-cli@v4
env:
JF_ENV_1: ${{ secrets.JF_SECRET_ENV_1 }}
JF_ENV_2: ${{ secrets.JF_SECRET_ENV_2 }}
- run: |
# Set the utilized JFrog configuration by providing the server ID (configured by the 'jf c add' command).
jf c use local-1
# Ping local-1 Artifactory server
jf rt ping
# Now use the second sever configuration exposed to the Action.
jf c use local-2
# Ping local-2 Artifactory server
jf rt ping
Important: When exposing more than one JFrog configuration to the Action, you should always add the jf c use command to specify the server to use. |
---|
The sensitive connection details, such as the access token used by JFrog CLI on the JFrog platform, can be automatically generated by the action instead of storing it as a secret in GitHub. This is made possible by leveraging the OpenID-Connect (OIDC) protocol. This protocol can authenticate the workflow issuer and supply a valid access token, requiring only the JF_URL environment variable. Learn more about this integration in this blog post. To utilize the OIDC protocol, follow these steps:
General
| Manage Integrations
New Integration
| OpenID Connect
:
NOTE: |
---|
The value specified as the 'Provider Name' should be used as the oidc-provider-name input in Workflow configuration step 2 below. |
The 'Audience' field does not represent the 'aud' claim for insertion into the identity-mapping in Platform configuration step 2 below. Only the claims included in the Claims Json created during step 2 will be validated. |
Configure an identity mapping: This phase sets an integration between a particular GitHub repository to the JFrog platform.
An identity mapping is a configuration object utilized by the JFrog Platform to associate incoming OIDC claims with particular selected fields. These fields might include repository
, actor
, workflow
, and others.
To configure the identity mapping, click on the identity mapping created in section 1 and then click on Add Identity Mapping
. Fill in priority 1 and fill out all required fields:
You have the flexibility to define any valid list of claims required for request authentication. You can check a list of the possible claims here. Example Claims JSON:
{
"repository": "repository-owner/repository-name"
}
Set required permissions: In the course of the protocol's execution, it's imperative to acquire a JSON Web Token (JWT) from GitHub's OIDC provider. To request this token, it's essential to configure the specified permission in the workflow file:
permissions:
id-token: write
Pass the 'oidc-provider-name' input to the Action (Required): The 'oidc-provider-name' parameter designates the OIDC configuration whose one of its identity mapping should align with the generated JWT claims. This input needs to align with the 'Provider Name' value established within the OIDC configuration in the JFrog Platform.
Pass the 'oidc-audience' input to the Action (Optional): The 'oidc-audience' input defines the intended recipients of an ID token (JWT), ensuring access is restricted to authorized recipients for the JFrog Platform. By default, it contains the URL of the GitHub repository owner. It enforces a condition, allowing only workflows within the designated repository/organization to request an access token. Read more about it here.
Example step utilizing OpenID Connect:
- uses: jfrog/setup-jfrog-cli@v4
env:
JF_URL: ${{ secrets.JF_URL }}
with:
oidc-provider-name: setup-jfrog-cli
The Action automatically sets the following environment variables: JFROG_CLI_BUILD_NAME and JFROG_CLI_BUILD_NUMBER with the workflow name and run number respectively. You therefore don't need to specify the build name and build number on any of the build related JFrog CLI commands.
In the following example, all downloaded files are registered as dependencies of the build and all uploaded files are registered as the build artifacts.
- run: |
jf rt dl artifacts/
jf rt u aether artifacts/
jf rt bp
By default, the JFrog CLI version set in action.yml is used. To set a specific version, add the version input as follows:
- uses: jfrog/setup-jfrog-cli@v4
with:
version: X.Y.Z
It is also possible to set the latest JFrog CLI version by adding the version input as follows:
- uses: jfrog/setup-jfrog-cli@v4
with:
version: latest
Important: Only JFrog CLI versions 1.46.4 or above are supported. |
---|
If your agent has no Internet access, you can configure the workflow to download JFrog CLI from a remote repository in your JFrog Artifactory, which is configured to proxy the official download URL.
Here's how you do this:
Create a remote repository in Artifactory. Name the repository jfrog-cli-remote and set its URL to https://releases.jfrog.io/artifactory/jfrog-cli/
Set download-repository input to jfrog-cli-remote:
- uses: jfrog/setup-jfrog-cli@v4
env:
# JFrog platform url (for example: https://acme.jfrog.io)
JF_URL: ${{ secrets.JF_URL }}
# Basic authentication credentials
JF_USER: ${{ secrets.JF_USER }}
JF_PASSWORD: ${{ secrets.JF_PASSWORD }}
# JFrog platform access token (if JF_USER and JF_PASSWORD are not provided)
# JF_ACCESS_TOKEN: ${{ secrets.JF_ACCESS_TOKEN }}
# Same can be achieved with a Config Token using JF_ENV_1 environment variable
# JF_ENV_1: ${{ secrets.JF_SECRET_ENV_1 }}
with:
download-repository: jfrog-cli-remote
Need a FREE JFrog environment in the cloud to use with this GitHub Action? Just run one of the following commands in your terminal. The commands will do the following:
MacOS and Linux using cUrl
curl -fL "https://getcli.jfrog.io?setup" | sh
Windows using PowerShell
powershell "Start-Process -Wait -Verb RunAs powershell '-NoProfile iwr https://releases.jfrog.io/artifactory/jfrog-cli/v2-jf/[RELEASE]/jfrog-cli-windows-amd64/jf.exe -OutFile $env:SYSTEMROOT\system32\jf.exe'" ; jf setup
To help you get started, you can use these sample projects on GitHub.
We welcome pull requests from the community. To help us improve this project, please read our Contribution guide.