Overview
Tidelift integrates with JFrog Artifactory to help your development teams stay safe and only use approved open source releases. The integration syncs the list of approved and denied releases in one of your Tidelift catalogs to an Artifactory repository. Developers will be unable to download denied releases from Artifactory.
The integration provides an alternate or additional way to enforce adherence to the catalog if CI/CD is not available. The integration is not intended to serve as a replacement for project and bill of material tracking and measuring project health with Tidelift.
Technical requirements
The following are requirements to be able to successfully use this integration.
| Artifactory product and version | Self-hosted 6.x or higher (7.x or higher preferred) with the ability to install Artifactory plugins |
| Artifactory repository types | remote and local (virtual repositories are not supported) |
| Package ecosystems | Javascript (npm), Java (maven, gradle), and Ruby (rubygems) |
If you are using an older version of Artifactory self-hosted, Artifactory Cloud, or require support for different ecosystems, please contact support@tidelift.com.
How the integration works
The Tidelift plugin triggers based on two primary events within Artifactory: afterCreate and download.
afterCreate), the Artifactory webhook will make an asynchronous call to tidelift.com to request the package. The tidelift.status artifact property to pending (unless otherwise specified in a tidelift.config.json file). Similarly, when a developer requests a package through Tidelift, the artifact will be created in Artifactory with a tidelift.status property.When a package release is approved or denied within the Tidelift catalog, then Tidelift will update the tidelift.status on that artifact in Artifactory to approved or denied, respectively, using a POST HTTP method.
The Tidelift plugin will then monitor all download events within Artifactory to block any artifacts with a tidelift.status of denied from being downloaded. The download hook fires on every download request regardless of whether or not the package is in Artifactory already.
Set-up instructions
1. Get the appropriate API key from Tidelift
Request an Artifactory key by emailing contacting support. We will respond via email with the appropriate key for Artifactory. This API Key is used in Step 4 below.
2. Install Tidelift plugin in Artifactory
$ARTIFACTORY_HOME/var/etc/pluginsDownload Tidelift's Artifactory plugin.
3. Add the tidelift.config.json file in Artifactory
The tidelift.config.json file should be placed in the /plugins folder of Artifactory. An example config file with default values set is below. Documentation for config values is below.
{
"statusOnCreate": "pending",
"pluginUsers": ["tidelift", "admin"]
}
4. Setup webhooks in Artifactory
For Artifactory 7.6+
Administration > General > Webhooks , with the following values:Name: Tidelift URL: https://api.tidelift.com/external-api/artifactory/webhook Event: "Artifact was deployed" (and pick the Artifactory repositories you'll use for your Tidelift Catalog) Secret Token: <Tidelift API key from the first step><br>
For Artifactory <7.6
$ARTIFACTORY_HOME/var/etc/plugins).5. Refresh the plugins
Once the plugin is set up, Artifactory needs to refresh the install plugins to enable the integration. This can be accomplished by sending a web request to the Artifactory server as detailed here https://www.jfrog.com/confluence/display/JFROG/Artifactory+REST+API#ArtifactoryRESTAPI-ReloadPlugins
curl -s -u admin:<admin password> -d "" $ARTIFACTORY_HOST/artifactory/api/plugins/reload. In order to update the properties of each artifact in Artifactory, Tidelift needs to be able to make web requests to the on-premise Artifactory. Your network should be configured to expose a port externally for Artifactory so that the web requests can be made to update the Tidelift status of artifacts via the plugin. Once the network is configured for external access, the configuration within Tidelift should be updated to the correct URL and port on the Artifactory integration settings page.
This step may require working with an Artifactory or network administrator.
6. Set up the integration in Tidelift
- In the Tidelift dashboard, go to Settings > Integrations > Artifactory
- Enter the Artifactory URL and API Key
- Once a connection has been established, you can link Artifactory repositories with Tidelift catalogs
7. Testing the integration
To make sure everything is working properly, you can run the following tests:
- Request a package release in Tidelift, you should see this release show up as an artifact in Artifactory with the default
tidelift.status - Approve the request, you should see the artifact's
tidelift.statusproperty update to approve. - Request another release and deny the request, you should see the artifact's
tidelift.statusproperty update to deny. - Try to download this denied release from the Artifactory repository as a developer, you should receive a Forbidden 403 error message.
Tidelift configuration file documentation
A configuration file called tidelift.config.json should be stored in the /plugins folder of Artifactory (see Step 3 in Install Instructions). The following options can be configured. statusOnCreate (default: pending)
The config file can be used to set the tidelift.status for newly created artifacts. Since artifacts are created in Artifactory as soon as a release is requested in Tidelift, this property is useful for changing whether or not developers can download the package while their request is pending. When "statusonCreate is set to pending or approved, new releases/artifacts will be available for download when requested. By setting statusOnCreate to denied, the releases/artifacts will not be available for download when requested. Users will not be able to download the releases until the releases are approved in Tidelift.
pluginUsers (default: ["tidelift", "admin"])
The config setting pluginUsers allows users to customize the Artifactory users that are allowed to hit the plugin endpoints.