Tidelift integrates with GitLab Pipelines and Code Quality to allow developers to see where new issues are being introduced into the code base. They can then fix these issues faster, and avoid known issues from being introduced into your code base.
To get started, you will need:
1. A Tidelift Subscription and an Organization API key with the GitLab feature enabled (contact your Tidelift representative for help)
2. A GitLab account which can access Tidelift via the public internet
With the appropriate configuration, GitLab can use the Tidelift CLI to run an alignment as part of a pipeline. This allows the pipeline to check the codebase for introduced issues, such as:
- A newly discovered vulnerability
- An addition of an end-of-life or deprecated package
- A violation of your licensing standard
Add your Organization API key to the GitLab Pipeline Job
NOTE: Always check with your Security Administrators to ensure you are following your company's policies for securing and storing secrets.
In this example, the Tidelift API key is saved as a masked variable. This can be done from the GitLab project settings page under CI/CD>variables. Name the variable TIDELIFT_API_KEY and paste the API key into the value field. Make sure the select masked to keep the API key from printing in server logs.
Add pipeline job step to check alignment with Tidelift
Go to "CI/CD Configuration" in GitLab for your project. Here you can add code to your GitLab pipeline to integrate with Tidelift.
Here is an example .gitlab-ci.yml. Note where you may need to add additional CI variables, and where you may need to set a specific 'image' parameter.
# Requirements
#
# Required variables:
#
# TIDELIFT_API_KEY must be a GitLab CI variable set to your Tidelift API key.
#
# Note: Your Tidelift API key can be used to perform operations in Tidelift,
# and should not be exposed to untrusted users. See
# https://docs.gitlab.com/ee/ci/variables/#cicd-variable-security for
# options for securing environment variables.
#
# Optional variables if you do not want to pre-create projects in Tidelift
# and have not saved a .tidelift file in your project's repository:
#
# TIDELIFT_ORGANIZATION should be a GitLab CI variable set to your Tidelift
# organization name.
#
# TIDELIFT_CATALOG should be a GitLab CI variable set to your preferred
# catalog name
tidelift-alignment:
# Choose an appropriate image for your build environment.
# Examples include:
#
# image: python
# image: node:20
# image: golang:1.22
stage: build
allow_failure: true
script:
- echo "Downloading Tidelift CLI"
- curl https://download.tidelift.com/cli/tidelift -o tidelift
- echo "Setting permissions"
- chmod +x tidelift
- echo "Creating project if necessary"
- sh -c "./tidelift projects new $CI_PROJECT_NAME ${TIDELIFT_CATALOG:+--catalog $TIDELIFT_CATALOG} || :"
- echo "Running alignment and saving to Tidelift"
- sh -c "./tidelift alignment save --revision $CI_COMMIT_SHA --project $CI_PROJECT_NAME ${TIDELIFT_CATALOG:+--catalog $TIDELIFT_CATALOG} --wait"
tidelift-code-quality:
script:
curl -fH "Authorization: Bearer $TIDELIFT_API_KEY" https://api.tidelift.com/external-api/v1/catalog/$TIDELIFT_ORGANIZATION/$CI_PROJECT_NAME/alignments/$CI_COMMIT_SHA/gitlab-quality-report > gl-code-quality-report.json
artifacts:
expire_in: 4 days
reports:
codequality: gl-code-quality-report.json
This example pipeline code is also available at https://github.com/tidelift/gitlab-pipeline-example/.
Once the required job steps have been added to the pipeline, select Save. Test the new pipeline configuration by selecting Run pipeline from pipelines dashboard.
View Code Quality results
Now, when a new merge request is opened, the code quality will be checked with Tidelift and new issues will show up in the Code Quality section of the GitLab UI.
If more information is desired, you can examine the pipeline output for more information on each item.