Using Tidelift with GitLab Pipelines

Tidelift integrates with GitLab Pipelines and Code Quality to allow developers to see where new issues are being introduced into the code base. They can then fix these issues faster, and avoid known issues from being introduced into your code base.

To get started, you will need:

1. A Tidelift Subscription and an Organization API key with the GitLab feature enabled (contact your Tidelift representative for help)

2. A GitLab account which can access Tidelift via the public internet

With the appropriate configuration, GitLab can use the Tidelift CLI to run an alignment as part of a pipeline. This allows the pipeline to check the codebase for introduced issues, such as:

  • A newly discovered vulnerability
  • An addition of an end-of-life or deprecated package
  • A violation of your licensing standard

Add your Organization API key to the GitLab Pipeline Job

NOTE: Always check with your Security Administrators to ensure you are following your company's policies for securing and storing secrets.

In this example, the Tidelift API key is saved as a masked variable. This can be done from the GitLab project settings page under CI/CD>variables. Name the variable TIDELIFT_API_KEY and paste the API key into the value field. Make sure the select masked to keep the API key from printing in server logs.

Screen_Shot_2021-12-22_at_3.07.04_PM.png

Add pipeline job step to check alignment with Tidelift

Go to "CI/CD Configuration" in GitLab for your project. Here you can add code to your GitLab pipeline to integrate with Tidelift.

Here is an example .gitlab-ci.yml. Note where you may need to add additional CI variables, and where you may need to set a specific 'image' parameter.

# Requirements
#
# Required variables:
#
#  TIDELIFT_API_KEY must be a GitLab CI variable set to your Tidelift API key.
#
#  Note: Your Tidelift API key can be used to perform operations in Tidelift,
#  and should not be exposed to untrusted users. See
#  https://docs.gitlab.com/ee/ci/variables/#cicd-variable-security for
#  options for securing environment variables.
#
# Optional variables if you do not want to pre-create projects in Tidelift
# and have not saved a .tidelift file in your project's repository:
#
#  TIDELIFT_ORGANIZATION should be a GitLab CI variable set to your Tidelift
#  organization name.
#
#  TIDELIFT_CATALOG should be a GitLab CI variable set to your preferred
#  catalog name

tidelift-alignment:
  # Choose an appropriate image for your build environment.
  # Examples include:
  #
  # image: python
  # image: node:20
  # image: golang:1.22
  stage: build
  allow_failure: true
  script:
    - echo "Downloading Tidelift CLI"
    - curl https://download.tidelift.com/cli/tidelift -o tidelift
    - echo "Setting permissions"
    - chmod +x tidelift
    - echo "Creating project if necessary"
    - sh -c "./tidelift projects new $CI_PROJECT_NAME ${TIDELIFT_CATALOG:+--catalog $TIDELIFT_CATALOG} || :"
    - echo "Running alignment and saving to Tidelift"
    - sh -c "./tidelift alignment save --revision $CI_COMMIT_SHA --project $CI_PROJECT_NAME ${TIDELIFT_CATALOG:+--catalog $TIDELIFT_CATALOG} --wait"

tidelift-code-quality:
  script: 
    curl -fH "Authorization: Bearer $TIDELIFT_API_KEY" https://api.tidelift.com/external-api/v1/catalog/$TIDELIFT_ORGANIZATION/$CI_PROJECT_NAME/alignments/$CI_COMMIT_SHA/gitlab-quality-report > gl-code-quality-report.json
  artifacts:
    expire_in: 4 days
    reports:
      codequality: gl-code-quality-report.json

This example pipeline code is also available at https://github.com/tidelift/gitlab-pipeline-example/.

Once the required job steps have been added to the pipeline, select Save. Test the new pipeline configuration by selecting Run pipeline from pipelines dashboard.

View Code Quality results

Now, when a new merge request is opened, the code quality will be checked with Tidelift and new issues will show up in the Code Quality section of the GitLab UI.

If more information is desired, you can examine the pipeline output for more information on each item.

 

Was this article helpful?
1 out of 1 found this helpful

Articles in this section

See more