This article shows how to use the Tidelift CLI with GitLab Pipelines to check catalog alignment during a build stage. This allows builds to fail that include unapproved packages as of a CI/CD process.
To get started, you will need:
1. A Tidelift Subscription
2. A GitLab account which can access Tidelift
With the appropriate configuration, GitLab can use the Tidelift CLI to run an alignment as part of a pipeline. For each Tidelift project, you can create a Project and API key in Tidelift and store that key in the appropriate secrets infrastructure provided by your CI system. An organization level API key can also be created which is only scoped to run alignments, but works across all projects. In this example, the API key is stored as a secret variable. Next, you need to add steps to your pipeline job that set the Tidelift API Key, checkout code from version control, download the Tidelift CLI, and run an alignment with the Tidelift CLI.
Create a Project in Tidelift and generate an API key in the Tidelift application
After logging into the Tidelift Subscription dashboard, select Projects then Create New Project. Enter the project name and remember that spaces, periods, or slashes are not valid naming characters in project names. When prompted, select the catalog you want the project to align with.
Close the Upload manifest files dialog to skip manually uploading manifests.
Select the Projects actions and settings gear on the left navigation, select Get Project Key then select Create Project Key.
Copy the CI/CD usage API_KEY and note the Organization-name/project-name.
In the above example:
- Organization-name: "souza-weisberg-holdings"
- project-name: "gitlab-test-project"
Add the API Key to the Gitlab Pipeline Job
NOTE: Always check with your Security Administrators to ensure you are following your companies policies for securing and storing secrets.
In this example, the Tidelift API key is saved as a masked variable. This can be done from the Gitlab project settings page under CI/CD>variables. Name the variable and past the API key into the value field. Make sure the select masked to keep the API key from printing in server logs.
Add pipeline job step to check alignment with Tidelift
In GitLab Pipelines, select the pipeline to use the Tidelift CLI with. Add a job with the steps to set the Tidelift API Key, checkout code from version control, download the Tidelift CLI, run an alignment with the Tidelift CLI.
gitlab-ci.yml example:
build-job:
stage: build
image: ruby # other Debian-based images may work, the CLI requires glibc.
variables:
TIDELIFT_API_KEY: $TIDELIFT_API_KEY_PROTECTED_VARIABLE # this should be kept in a GitLab Protected Variable https://docs.gitlab.com/ee/ci/variables/#create-a-custom-variable-in-the-ui
script:
- echo "Downloading Tidelift CLI"
- curl https://download.tidelift.com/cli/tidelift -o tidelift
- echo "Setting permissions"
- chmod +x tidelift
- echo "Running alignment and saving to Tidelift"
- ./tidelift alignment save --wait
Note: The Tidelift CLI will attempt to detect the branch of the pipeline automatically in CLI v1.3.0 and later. If the branch can not be detected, the branch will need to be specified using the branch flag. Please see the CLI reference for more information.
Once the required job steps have been added to the pipeline, select Save. Test the new pipeline configuration by selecting Run pipeline from pipelines dashboard. Any unapproved packages that are included in the pipeline will cause the check to fail. The output will include a Tidelift link with more info and actions a developer can take to either request new packages or switch to already-approved releases.