This article shows how to use Tidelift with Bitbucket Pipelines. This example is intended as a reference and not to be applied verbatim to your production environment. Depending on the package manager your project is using, you will need to have a Bitbucket Pipeline that is suited for building with that package manager. In this example, we are going to use a default Atlassian build environment.
We first create a project in Tidelift and generate an API key. We next add a Bitbucket Pipelines step to check catalog alignment during a build. Finally, we set appropriate variables in Bitbucket to keep private token information secure.
To get started, you will need:
- A Tidelift Subscription (Please contact us if you are interested in learning more about Tidelift)
- An Atlassian account with a corresponding Bitbucket instance
Create a Project in Tidelift and generate an API key
- After logging into the Tidelift Subscription dashboard, select Projects
- Select Create New Project
- Enter the project name and remember that spaces, periods, or slashes are not valid naming characters in project names
- When prompted, select the catalog you want the project to align with
- Close the Upload manifest files dialog to skip manually uploading manifests
- Select the Projects actions and settings gear on the left navigation
- Select Get Project Key then select Create Project Key.
- Copy the CI/CD usage API_KEY and note the Organization-name and project-name
In the above example:
- organization-name = "souza-weisberg-holdings"
- project-name = my-bitbucket-project
Add the API Key to the Bitbucket Pipeline Job
Always check with your Security Administrators to ensure you are following your companies policies for securing and storing secrets.
From your Bitbucket repository, Select Settings > Repository variables (under Pipelines)
Create a new variable called TL_TOKEN and paste in the Token value you generated at the end of step 1. Select the Secured check-mark to keep this token secure.
Add pipeline step to check alignment with Tidelift
- In Bitbucket Pipelines select the pipeline to use the Tidelift CLI with
- Add a job with the steps to set the Tidelift API Key
- Checkout code from version control
- Download the Tidelift CLI
- Run an alignment with the Tidelift CLI
- apt-get -y update
- apt-get -y install python3.8-venv
- python3 -m venv env
- export TIDELIFT_API_KEY=$TL_TOKEN
- echo "Downloading Tidelift CLI"
- curl https://download.tidelift.com/cli/tidelift -o tidelift
- echo "Setting Tidelift CLI permissions"
- chmod +x tidelift
- echo "Running alignment and saving to Tidelift"
- ./tidelift alignment save --wait
Note: The example above is for a Python based project. The atlassian/default-image:3 default environment comes with Python 3.8.10 preinstalled.
🙌 Woo hoo! 🙌 You have successfully configured Bitbucket to work with the Tidelift Subscription
Reviewing your scan results in Bitbucket
After the tidelift step of your Pipeline executes, you will see when your builds fail or succeed. The fail or pass is determined by your Tidelift open source policy. You can see the default policy and learn how to configure this policy to meet the needs of your organization.
Note: The Tidelift CLI will attempt to detect the branch of the pipeline automatically in CLI v1.3.0 and later. If the branch can not be detected, the branch will need to be specified using the branch flag. Please see the CLI reference for more information.
Once the required job steps have been added to the pipeline, select Save. Test the new pipeline configuration by selecting Run Now from pipelines dashboard. Any unapproved packages that are included in the pipeline will cause the check to fail. The output will include a Tidelift link with more info and actions a developer can take to either request new packages or switch to already-approved releases.