Comments (9)
Thanks for your feedback, @NickLiffen!
Configuring the "JF_ARTIFACTORY_" server token is the easiest and most recommended way to config the Artifactory credentials.
However, it is not mandatory. You still have the option to use the CLI as usual:
Example 1:
- uses: jfrog/setup-jfrog-cli@v1
- run: |
jfrog rt ping --url=https://<jfrog-platform-url>/artifactory --access-token=${{ secrets.ARTIFACTORY_ACCESS_TOKEN }}
Example 2:
- uses: jfrog/setup-jfrog-cli@v1
- run: |
jfrog c add kermit --artifactory-url=https://<jfrog-platform-url>/artifactory --access-token=${{ secrets.RT_TOKEN }}
jfrog rt ping
One more thing - jfrog rt c
is decrecated in favour of jfrog c add
. Read more about this command under Authentication.
I updated the Setup JFrog CLI documentation - thanks!
Please let me know if that helped.
from setup-jfrog-cli.
@yahavi I agree that for most people this would be okay 👍
The thing about this command:
jfrog rt ping --url=https://<jfrog-platform-url>/artifactory --access-token=${{ secrets.ARTIFACTORY_ACCESS_TOKEN }}
Is I would have to run this with every command I run 😢 Which is a little bit messy. Also, across 100 repos using this, it just starts to not get very modular IMO.
We could create something custom in the company that I work for which does what we are asking, but I just didn't know if there was appetite at the broader community to have the OPTION (not mandatory), to just do a one-time setup of:
- uses: jfrog/setup-jfrog-cli@v1
env:
JF_ARTIFACTORY_SERVER_URL: ${{ secretsJF_ARTIFACTORY_SERVER_URL }}
JF_ARTIFACTORY_ACCESS_TOKEN: ${{ secrets.JF_ARTIFACTORY_ACCESS_TOKEN}}
What that means is in another job I could be rotating the JF_ARTIFACTORY_ACCESS_TOKEN
every X hours, meaning we are fully secure.
The problem is, even though GitHub makes it really hard to console.log()
GitHub Secrets, it's 100% possible with hacky solutions which I don't like, but it's done. So if we don't rotate it, someone could get it out of Secrets and use it. That is why we need to rotate if that makes sense 👍
If this isn't something you are interested in then it's fine, we are happy to build something custom, just wanted to ask here first 👍
from setup-jfrog-cli.
@NickLiffen,
if I not misunderstood you, you can easily create the server token In the action that updates Artifactory's token.
Something like that:
- uses: jfrog/setup-jfrog-cli@v1
- run: |
# Create a new access token
export NEW_ACCESS_TOKEN=`jfrog rt atc <artifactory-username> --url=${{ secrets.JF_ARTIFACTORY_SERVER_URL }} --access-token=${{ secrets.JF_ARTIFACTORY_ACCESS_TOKEN }} | jq '.access_token' -r`
# Configure Artifactory server
jfrog c add kermit --artifactory-url=${{ secrets.JF_ARTIFACTORY_SERVER_URL }} --access-token=$NEW_ACCESS_TOKEN
# Create a new server token
export NEW_TOKEN=`jfrog c export kermit`
Please let me know if that helped.
from setup-jfrog-cli.
Agreed 👍 But look how messy that is 😢 This is what we are trying to get away from. It's a lot of characters of code where someone could go in and change something which breaks the auth process. IF someone was to go in and accidently change something, it stops working.
It sounds like you aren't open to this suggestion, (which is fine), we are happy to go and build our own action 👍 Appreciate the conversation 💯
from setup-jfrog-cli.
I also don't think I am explaining myself very well, to be honest, 🙃
I would like to have a workflow that has a one-time Artifactory setup step, then multiple steps after that, that don't need to worry about anything config related, it would use the one-time setup process. E.G
- uses: jfrog/setup-jfrog-cli@v1
env:
JF_ARTIFACTORY_SERVER_URL: ${{ secretsJF_ARTIFACTORY_SERVER_URL }}
JF_ARTIFACTORY_ACCESS_TOKEN: ${{ secrets.JF_ARTIFACTORY_ACCESS_TOKEN}}
That would be the setup, then I could run any command after that line, like this:
- run: |
jfrog rt ping
This token here: ${{ secrets.JF_ARTIFACTORY_ACCESS_TOKEN}}
we would like to be set the GitHub Organisation layer. This token would have read access to certain enterprise repos. Now, as it's at the org level, we need to be careful on this token. So, in a completely separate GitHub Repo, I will use the Artifactory REST API to create a new token and update the GitHub Org Secret with the new Access Token.
I would then put this GitHub action on a cron to run X times every day.
As it's at the org level, it means 1000's of repos can reference this one token, whilst staying secure, as the token is scoped to groups, and also if someone managed to get it out of actions, it is only valid for X amount of time. If that makes sense.
We can't ask a 1000's repos to do this, so we will have 1 secret at the GitHub Org Level. We will have 1 separate locked off GitHub Repo that updates this org level secret every X hours. Then set the org level secret so every repo in the org can use it.
Hopefully that makes sense 👍
from setup-jfrog-cli.
Maybe the PR I recently created could help creating the feature that is requested here?
#43
I have it working in our private action but would make our devs really happy if they could use it with this public version of the action.
from setup-jfrog-cli.
@rkustner -
I added a question for you inside your PR.
@NickLiffen -
Are you suggesting that we create a new and separate action for refreshing the token periodically?
from setup-jfrog-cli.
HI @NickLiffen
This #76 is merged and adds the following functionality.
Looking forward to your feedback on it.
I will update this thread once the next release will be out.
Storing the connection details using separate environment variables
You can set the connection details to your JFrog Platform by using one of the following environment variables combinations:
- JF_URL (no authentication)
- JF_URL + JF_USER + JF_PASSWORD (basic authentication)
- JF_URL + JF_ACCESS_TOKEN (authentication using a JFrog Access Token)
You can use these environment variables in your workflow as follows:
- uses: jfrog/setup-jfrog-cli@v2
env:
# JFrog platform URL (for example: https://acme.jfrog.io)
JF_URL: ${{ secrets.JF_URL }}
# Basic authentication credentials
JF_USER: ${{ secrets.JF_USER }}
JF_PASSWORD: ${{ secrets.JF_PASSWORD }}
# JFrog platform access token (if JF_USER and JF_PASSWORD are not provided)
# JF_ACCESS_TOKEN: ${{ secrets.JF_ACCESS_TOKEN }}
- run: |
jf rt ping
from setup-jfrog-cli.
Hi @NickLiffen,
Setup JFrog CLI 2.4.0 is released and includes the above feature.
We'd appreciate your feedback on that.
from setup-jfrog-cli.
Related Issues (20)
- jf rt u source to destination says success but doesn't upload the artifact to the repository HOT 3
- Upgrade JFrog CLI version to address Maven 3.9.x incompatibility
- version change in action.yaml to 2.50 cli version breaking the existing git workflows. commit https://github.com/jfrog/setup-jfrog-cli/commit/60f0b2eae7e0f3bc79c092fa43587f5592b07339 HOT 1
- Windows runner pwsh not exiting on invalid jf rt upload command
- jfrog commad stuck at configuration and failing HOT 3
- JFrog CLI not reading environment variables correctly HOT 12
- Exchanging JSON web token with an access token failed: Input required and not supplied: oidc-provider-name HOT 9
- Provide the token as output of OIDC authentication HOT 5
- Upgrade to Node.js 20 LTS HOT 3
- (short feature description) HOT 1
- Certificate is Expired HOT 9
- using this action with OIDC auth mechanism produces refreshable token HOT 1
- Paralell jfrog-setup-cli mess up the jfrog-cli.conf.v6 format HOT 1
- Patch request
- Multiple GitHub Runners on self-hosted runner cause permission issue HOT 2
- OIDC integration does not work with Docker when the Identity Mapping is set to Group as the Token Scope on Artifactory's side HOT 1
- Authentication fails with version 4.0.2 HOT 6
- Artifactory returns 404 for private GitHub Docker Repository
- action not using no_proxy (on windows)
- trying to connect lib- dll files from j frog artifactory
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from setup-jfrog-cli.