Storing and Validating Signed Pipelines Data

JFrog Pipelines Documentation

ft:sourceType
Paligo

This ssection describes Native and Generic steps used to store and validate signed Pipelines data and includes and example YAML.

Native Steps

Pipelines native steps automatically store information about the artifacts they build so that they can be used later as part of the signed pipelines validation.

Note

The PowerShell version of these steps do not support the signed pipelines feature.

The following native steps can save artifact info:

The following native steps can validate the published artifacts:

Generic Steps

It is also possible to create your own signed pipeline using only Bash steps. To accomplish this, use the following utility functions, which are available at execution time, to configure what needs to be tracked and validated.

  • save_artifact_info

  • validate_artifact

If an artifact is saved in one Bash step, it can be validated in a later Bash step.

Example YAML

Signed Pipelines for Bash

resources:
  - name: signed_git
    type: GitRepo
    configuration:
      gitProvider: myGithub
      path: ~test/myapp
      branches:
        include: ^master$
  - name: signed_buildinfo
    type: BuildInfo
    configuration:
      sourceArtifactory: myArtifactory

pipelines:
  - name: test_signed_start
    steps:
      - name: create_info
        type: Bash
        configuration:
          inputResources:
            - name: signed_git
          integrations:
            - name: myArtifactory
          outputResources:
            - name: signed_buildinfo
        execution:
          onExecute:
            - cd $res_signed_git_resourcePath 
            - jfrog rt upload server.js 
            - jfrog rt build-collect-environment
            - jfrog rt build-publish --detailed-summary $JFROG_CLI_BUILD_NAME $JFROG_CLI_BUILD_NUMBER > summaryOutput.json
            - save_artifact_info buildInfo summaryOutput.json --build-name=$JFROG_CLI_BUILD_NAME --build-number=$JFROG_CLI_BUILD_NUMBER

  - name: test_signed_stop
    steps:
      - name: validate_info
        type: Bash
        configuration:
          inputResources:
            - name: signed_buildinfo
        execution:
          onExecute:
            - response=$(validate_artifact buildInfo --build-name ${res_signed_buildinfo_buildName} --build-number ${res_signed_buildinfo_buildNumber})
            - validateResult=$(echo "$response" | jq '.result')
            - if [ "$validateResult" != "true" ]; then echo "failed validation" && exit 1; fi