Use Helm with JFrog CLI

Run native Helm commands with build-info collection support.

When to Use

Use jf helm to package, push, and manage Helm charts with Artifactory as your chart registry. This integrates Helm operations with JFrog build-info for traceability and security scanning.

This topic covers the following tasks:

• Run Helm commands (jf helm)
• Log in to an Artifactory Helm OCI registry (jf helm registry login)

Prerequisites

• Helm 3.8 or later is required. Helm 3.8+ is required for OCI registry support. Helm 4.x has not been formally validated.
• Configure a server with jf config add or jf c add.
• Authentication to Artifactory is required.

Build: jf helm

Run native Helm commands with build-info collection support.

To run Helm commands with Artifactory integration:

1. Ensure Helm 3.8+ and a configured JFrog server are available (see Prerequisites).
2. Run jf helm with the Helm subcommand and arguments, adding --build-name and --build-number when supported and needed (see Build Examples).

Synopsis

jf helm <helm-arguments> [options]

Aliases: none

Arguments

Supported Subcommands

All standard Helm commands are supported through jf helm. The following subcommands collect build-info when --build-name and --build-number are provided:

Any Helm command not listed above is passed through to the native Helm client.

Build Options

Build Examples

View Help

jf helm --help

Package a Chart with Build-Info

📘

Prerequisite

: Build-info collection requires a Chart.lock file in the chart directory. Chart.lock is generated when a chart has declared dependencies and you run helm dependency update. Charts with no dependencies do not produce a Chart.lock and build-info collection will fail. If your chart has no dependencies, see the end-to-end example below.

jf helm package ./mychart --build-name=<build-name> --build-number=<build-number>

Where:

• ./mychart is the path to the chart directory (must contain Chart.lock)
• <build-name> is a name for the build (for example, helm-charts)
• <build-number> is a number or identifier for the build run (for example, 1)

For example:

jf helm package ./mychart --build-name=helm-charts --build-number=1

Expected output:

[Info] Running Helm package ./mychart
Successfully packaged chart and saved it to: ./mychart-0.1.0.tgz
[Info] Collecting build info for executed helm package command

End-to-End Example: Package with Dependency

To use jf helm package with build-info on a chart that has dependencies, first declare a dependency in Chart.yaml, then run helm dependency update to generate Chart.lock, and finally package with jf helm:

Step 1 — Declare a dependency in Chart.yaml:

dependencies:
  - name: nginx
    version: "18.x.x"
    repository: "https://charts.bitnami.com/bitnami"

Step 2 — Update dependencies (generates Chart.lock):

helm dependency update ./mychart

Step 3 — Package with build-info:

jf helm package ./mychart --build-name=helm-charts --build-number=1

Push a Chart to OCI Registry

jf helm push mychart-0.1.0.tgz oci://<repo-host>/helm-local --build-name=<build-name> --build-number=<build-number>

Where:

• <repo-host> is your Artifactory hostname (for example, acme.jfrog.io)

For example:

jf helm push mychart-0.1.0.tgz oci://acme.jfrog.io/helm-local --build-name=helm-charts --build-number=1

Update Chart Dependencies with Build-Info

📘

Note

: Build-info collection for dependency update requires that Chart.lock already exists from a prior run. On the very first run against a new chart, Chart.lock does not yet exist and build-info collection will fail with exit code 1 even though the dependencies are downloaded successfully. Run helm dependency update ./mychart once natively to generate Chart.lock, then use jf helm dependency update for subsequent runs.

jf helm dependency update ./mychart --build-name=<build-name> --build-number=<build-number>

Expected output (after Chart.lock exists):

[Info] Running Helm dependency update ./mychart
[Info] Collecting build info for executed helm dependency command

Helm Registry Login

To log in to an Artifactory Helm OCI registry:

1. Ensure a server is configured with jf config add (see Prerequisites).
2. Run jf helm registry login with your registry URL and optional --server-id, --username, or --password (see the examples later in this section).

Synopsis

jf helm registry login <registry-url> [--server-id <id>] [--username <name>] [--password <pwd>]

Logs your local Helm client into an OCI-compatible registry (such as JFrog Artifactory) using credentials managed by JFrog CLI. After a successful login, you can run jf helm push, jf helm pull, and other OCI operations without re-authenticating each time.

Container registries such as Helm OCI repositories require a login before you can perform push and pull operations. This applies to both local development and CI/CD pipelines (for example, Azure DevOps, GitHub Actions).

Arguments

• registry-url (required) — The OCI registry to log into (for example, mycompany.jfrog.io).

Options

• --server-id (optional) — Use a specific configured server.
• --username (optional) — Registry username.
• --password (optional) — Registry password or access token.

When --username and --password are omitted, JFrog CLI uses credentials from the configured server (set via jf config add). This requires the server to be configured with a JWT access token. If your server uses a reference (opaque) token, login will fail with no credentials available for helm registry login. In that case, provide --username explicitly:

jf helm registry login mycompany.jfrog.io --server-id my-jfrog --username <USERNAME>

To check whether your configured server uses a JWT or reference token, run jf config show.

📘

Note

: registry login does not appear in the jf helm --help Supported Commands list but is a fully supported subcommand.

Examples

# Login using configured server credentials
jf helm registry login mycompany.jfrog.io

# Login using a specific server configuration
jf helm registry login mycompany.jfrog.io --server-id my-jfrog

# Login with explicit credentials
jf helm registry login mycompany.jfrog.io --username <USERNAME> --password <PASSWORD>

Important Notes

• No separate config command: Unlike other build tools, Helm does not have a jf helm-config command. Authentication is handled via --server-id or the active server configuration.
• OCI registries: For OCI-based Helm registries (Helm 3.8+), use the oci:// prefix in push/pull commands.
• Build-info: Use --build-name and --build-number to collect chart info, then publish with jf rt build-publish.
• Chart dependencies: jf helm dependency update resolves chart dependencies from Artifactory's Helm repositories.

CI/CD Example (GitHub Actions)

# .github/workflows/build.yml
steps:
  - uses: actions/checkout@v4
  - name: Setup JFrog CLI
    uses: jfrog/setup-jfrog-cli@v4
    env:
      JF_URL: ${{ vars.JF_URL }}
      JF_ACCESS_TOKEN: ${{ secrets.JF_ACCESS_TOKEN }}
  - name: Package Helm chart
    run: jf helm package ./mychart --build-name=helm-charts --build-number=${{ github.run_number }}
  - name: Push Helm chart
    run: jf helm push mychart-0.1.0.tgz oci://acme.jfrog.io/helm-local --build-name=helm-charts --build-number=${{ github.run_number }}
  - name: Publish build info
    run: jf rt build-publish helm-charts ${{ github.run_number }}

CI/CD Example (Azure DevOps)

# azure-pipelines.yml
steps:
  - task: JfrogCliV2@1
    inputs:
      jfrogPlatformConnection: 'JFrog Platform V2'
      command: |
        jf helm registry login mycompany.jfrog.io
        jf helm package ./mychart --build-name=$(Build.DefinitionName) --build-number=$(Build.BuildNumber)
        jf helm push mychart-0.1.0.tgz oci://mycompany.jfrog.io/helm-local --build-name=$(Build.DefinitionName) --build-number=$(Build.BuildNumber)
        jf rt build-publish $(Build.DefinitionName) $(Build.BuildNumber)

Troubleshooting

Enable debug logging: export JFROG_CLI_LOG_LEVEL=DEBUG

Related Topics

• Build Tools Overview — Capabilities matrix and tool reference
• Native Mode — Supported packages with Native Mode