Overview
JFrog Artifactory offers support for Go packages, providing:
Secure, private Go registries with fine-grained access control over Go packages according to projects or development teams.
Remote Go registries which provide proxy and caching functionality for remote Go resources.
Enterprise features such as high availability, repository replication for multi-site development and different options for massively scalability storage.
A full solution with JFrog CLI, allowing you to resolve and publish your Go projects.
Installing Go
Artifactory requires Go client version 1.11.0 and above.
To install the Go client, please refer to the Go Programming Language documentation.
Using Homebrew?
You can also install the Go client by running:
brew install go
Learn More
Integration Benefits JFrog Artifactory and Go Registry
Configuration
Local Repositories
To deploy Go packages to a local Go registry and enable calculation of Go package metadata, select Repositories | Repositories | Local and set Go to be the Package Type when you create your local repository.
Remote Repositories
Resolving Go Only Via Local or Virtual Repositories
Artifactory only supports resolution of Go packages from virtual Go repositories. To resolve Go from other local or remote Go repositories, you need to aggregate them in a virtual Go repository.
A remote Go repository in Artifactory serves as a caching proxy for golang.org, GitHub.com or a Go repository in a different Artifactory instance.
Artifacts (such as zip files) requested from a remote Go registry are cached on demand. You can remove downloaded artifacts from the remote repository cache, however you can not manually deploy artifacts to a remote repository.
Proxying GitHub
To create a Remote Repository which serves as a caching proxy for github.com, follow the steps below:
Create a new remote repository and set Go to be its Package Type.
Set the Repository Key value, and enter
https://github.com/
in the URL field as displayed below.In the Go Settings set the Git Provider as GitHub.
Note
When using a remote repository that implements Go API Specification, use Artifactory as the Git provider. For example, to set up a remote registry opposite
proxy.golang.org
, use Artifactory as the Git provider.In the Advanced tab, enter the username and password of your GitHub account. This is required due to a rate limit imposed by GitHub when access is anonymous.
From November 2020, GitHub no longer accepts account passwords when authenticating via the REST API
As per the latest GitHub update, basic authentication is no longer supported via REST API. Your password must be replaced with a GitHub private access token.
Also in the Advanced tab, check Lenient Host Authentication.
Click Save & Finish.
Working with GOSUMDB
Go Client 1.13 introduced support for checksum verifications of modules against a central server. Artifactory is able to act as the central checksum server for the Go clients using it as the Go proxy. This will work without any additional configurations for remote sites pointing to GitHub or another Artifactory server.
It is possible to override the default central server used by Artifactory to provide the checksums by adding the property artifactory.go.sumdb.url.override=
https://..
. to your Artifactory's system properties.
This feature can be disabled by adding the property artifactory.go.sumdb.enabled=false
to your Artifactory's system properties.
Private GitHub repositories and some remote sites do not provide checksums. The Go client in those cases will complain about missing the checksum. You can control this feature on the client side with the GOPRIVATE and GONOSUMDB environment variables. See the Go 1.13 Modules environment variables for full details.
Virtual Repositories
Default Deployment Repository
If you are publishing your Go builds to a Virtual Repository, make sure to set one of the local Go repositories that it aggregates as the Default Deployment Repository.
A Virtual Repository defined in Artifactory aggregates packages from both local and remote repositories.
This allows you to access both locally hosted Go packages and packages from remote proxied Go registries from a single URL defined for the virtual repository.
To create a virtual repository as a Go registry, in the Administration module, under Repositories | Repositories | Virtual, click New Virtual Repository and set Go to be its Package Type, and select the underlying local and remote repositories to include under the Repositories section.
Advanced Configuration
Some Remote Import Paths may use go-import
meta tags on the remote repository response body to declare the location of a remote VCS root to follow. By default, this behavior is enabled, and Artifactory will follow these tags to download remote modules. To disable this uncheck the Follow 'go-import' Meta Tags checkbox.
Field | Description |
---|---|
Follow 'go-import' Meta Tags | When checked (default), Artifactory will automatically follow remote VCS roots in |
'go-import' Allow List | An Allow List of Ant-style path patterns that determine which remote VCS roots Artifactory will follow to download remote modules from when presented with For example, if you wish to limit remote |
Using Go with Artifactory
Much of your work with Go and Artifactory is done through JFrog CLI, a thin client that wraps the Go client. To learn more, please refer to the JFrog CLI User Guide.
Did you know?
JFrog CLI is, itself, written in Go.
Resolving Go Projects
Resolving Go Only Via Local or Virtual Repositories
Artifactory only supports resolution of Go packages from virtual Go repositories. To resolve Go from other local or remote Go repositories, you need to aggregate them in a virtual Go repository.
go.mod
is a metadata file that describes a Go package. It contains the package's module name and a list of its dependencies.
To allow successful resolution of a package, the Go client requires a corresponding go.mod
file to be found in the same folder.
For example, in this Hello Worlds
Go project, the go.mod file specifies a module github.com/you/hello
, with a single dependency, rsc.io/quote v1.5.2.
go.mod
module github.com/you/hello require rsc.io/quote v1.5.2
Resolving Transitive Dependencies Locally
To fully resolve a Go project, each transitive dependency needs to have its corresponding go.mod file in place in the same folder where it resides. However, in many cases, the go.mod file does not exist. To resolve a Go project in this case, follow these steps:
Manually download all required dependencies from the internet to your local machine
Run your build while resolving dependencies locally
Publish your built package to Artifactory as described below.
From this point on, you can rebuild your project while resolving dependencies from Artifactory
Building Go Packages
To build your Go projects, use JFrog CLI. JFrog CLI downloads the dependencies needed for the project from the internet and creates the corresponding go.mod
file. When you later use JFrog CLI to publish your package to Artifactory, the go.mod file is uploaded alongside the package to Artifactory.
For details, please refer to the JFrog CLI documentation.
Publishing Go Projects
The Go client works through a Git repository which hosts the Go package source code, and does not provide a way to directly publish packages to Artifactory.
To publish your package to Artifactory, use JFrog CLI as described in the JFrog CLI documentation.
Default Deployment Repository
If you are publishing your Go builds to a Virtual Repository, make sure to set one of the local Go repositories that it aggregates as the Default Deployment Repository.