Releasing production-ready software is a complicated tangle of tools and processes lacking visibility, traceability, and consistency. This leads to custom integrations and human intervention, which create opportunities for mistakes, impede automation, and increase the likelihood of insecure software being released.
JFrog’s release lifecycle management capabilities enable “release first” software supply chain (SSC) management, delivering trusted software faster.
Let’s take a look at these new capabilities and how they can help improve your software development process.
Creating a new level of trust and automation of software releases
While it may seem that code is the driver of quality software, a binary is what runs in a production environment, so focusing on a binary release is the best way to deliver continuous quality and trust in software releases.
We believe there are six key components necessary to serve as the single source of truth for what’s being released for consumption:
- Defining the release with all of the included packages and components of varying technologies as an immutable entity
- Configuring “environments” that match an organization’s release lifecycle stages and containing the necessary repositories for the components contained within a release
- Capturing evidence in a single place of actions taken to ensure security and quality by the various teams and tools leveraged across the SSC
- Ability to seamlessly promote a release from one environment to another, not rebuilding at any point in the release process
- Policies to control how or when a release advances, including security checks, license validations, and operational requirements.
- Distributing a release where needed for consumption, ensuring a trusted chain of custody to the very “last mile” of software delivery
Release lifecycle management with new promotion capabilities in Artifactory
JFrog’s release lifecycle management beta takes the first step in delivering our “release-first” vision by introducing and improving on core functionality of the JFrog platform.
So, how does it work?
It starts by defining in your JFrog deployment the appropriate environments a release candidate must flow through as part of their release process. Next, a developer makes a Release Bundle from a build output to serve as the release candidate. This set of assets advances, via promotion, through the assigned environments towards production. Along the way, “gates” help ensure the integrity of your releases and metadata is captured throughout the whole process.
Take a quick look at the base functionality included in our Release Lifecycle Management Beta in the video below.
The first phase of our new capabilities for software release lifecycle management, now in beta, allows organizations to:
- Generate a signed, immutable Release Bundle immediately from a build output ensuring no artifacts associated with a release change
- Add promotion gates via webhook for security and other qualifiers
- Promote a Release Bundle manually or via integrated CI/CD automations
With a defined, repeatable process that can be tracked from start to finish, our new release lifecycle management lays the foundation for attestation of the release lifecycle.
What else can we add to release lifecycle management in Artifactory?
This new approach will not only improve the security of software releases, but it will also increase velocity while providing valuable data and insights to multiple stakeholders across IT, DevOps, and Security domains. The aim is to include additional capabilities that scale adoption and support complex software release workflows with greater automation.
Here are some of the use cases we imagine powering in the future:
- Access a DORA dashboard to track performance over time
- Generate Soc2 compliance reports with the click of a button.
- Workflow automation policies are clear and defined.
- Release management dashboards
Ready to give the it a try?
While we continue to work on additional functionality and fine-tune for GA, there’s no reason to wait any longer. Existing customers can use our Release Lifecycle Management building blocks today and provide valuable feedback.
New to JFrog? No problem. Try the JFrog Platform for free.