This Article shows how to use the Tidelift CLI with Azure Devops Pipelines to check catalog alignment during a build stage. This allows builds to fail that include unapproved packages as of a CI/CD process.
To get started, you will need:
1. A Tidelift Subscription (Please contact us if you are interested in learning more about Tidelift)
2. An Azure Devops (ADO) account which can access Tidelift
With the appropriate configuration, Azure Devops Pipelines can use the Tidelift CLI to run an alignment as part of your pipeline. For each Tidelift project, you can create a Project and API key in Tidelift and store that key in the appropriate secrets infrastructure provided by your CI system. An Organization level API key can also be created which is only scoped to run alignments, but works across all projects. In this example, the API key is stored as a secret variable in the pipeline settings. Next, you need to add steps to your pipeline job that set the Tidelift API Key, checkout code from version control, download the Tidelift CLI, and run an alignment with the Tidelift CLI.
1. Create a Project in Tidelift and generate an API key in the Tidelift webapp
After logging into the Tidelift Subscription dashboard, select Projects then Create New Project. Enter the project name and remember that spaces, periods, or slashes are not valid naming characters in project names. When prompted, select the catalog you want the project to align with.
Close the Upload manifest files dialog to skip manually uploading manifests.
Select the Projects actions and settings gear on the left navigation, select Get Project Key then select Create Project Key.
Copy the CI/CD usage API_KEY and note the Organization-name/project-name.
In the above example:
- Organization-name: "souza-weisberg-holdings"
- project-name: "azure-devops-test-project"
2. Add the API Key to the ADO Pipeline Job
NOTE: Always check with your Security Administrators to ensure you are following your companies policies for securing and storing secrets.
Next set the Tidelift API key as a secret variable. This can be done from the dashboard by selecting the pipeline then edit > variables. Name the variable and past the API key into the value field. Make sure the select the Keep this value secret option.
3. Add pipeline job step to check alignment with Tidelift
In ADO Pipelines, select the pipeline to use the Tidelift CLI with. Add a job with the steps to set the Tidelift API Key, checkout code from version control, download the Tidelift CLI, run an alignment with the Tidelift CLI.
# Azure Devops Pipeline example for checking dependencies from version control against a
# Tidelift Catalog
# Set build environment variable for the Tidelift API Key
- script: |
echo "Running Tidelift alignment"
echo "Downloading Tidelift CLI"
curl https://download.tidelift.com/cli/tidelift -o tidelift
echo "Setting Tidelift CLI permissions"
chmod +x tidelift
echo "Running alignment and saving to Tidelift"
./tidelift alignment save
displayName: Tidelift Alignment
Note: The Tidelift CLI will attempt to detect the branch of the pipeline automatically in CLI v1.3.0 and later. If the branch can not be detected, the branch will need to be specified using the branch flag. Please see the CLI reference for more information.
Once the required job steps have been added to the pipeline, select Save. Test the new pipeline configuration by selecting Run Now from pipelines dashboard. Any unapproved packages that are included in the pipeline will cause the check to fail. The output will include a Tidelift link with more info and actions a developer can take to either request new packages or switch to already-approved releases.