Use Helm with JFrog CLI

Run native Helm commands with build-info collection support.

When to Use

Use jf helm to package, push, and manage Helm charts with Artifactory as your chart registry. This integrates Helm operations with JFrog build-info for traceability and security scanning.

This topic covers the following tasks:

• Run Helm commands (jf helm)
• Log in to an Artifactory Helm OCI registry (jf helm registry login)

📘

Package Alias (Ghost Frog)

Package Alias does not intercept helm commands. Supported tools are mvn, gradle, npm, yarn, pnpm, go, pip, pipenv, poetry, dotnet, nuget, docker, gem, and bundle. See Use JFrog CLI Package Alias for setup and the full tool list.

Prerequisites

• Helm 3.8 or later is required. Helm 3.8+ is required for OCI registry support. Helm 4.x has not been formally validated.
• Configure a server with jf config add or jf c add.
• Authentication to Artifactory is required.

Build: jf helm

Run native Helm commands with build-info collection support.

To run Helm commands with Artifactory integration:

1. Ensure Helm 3.8+ and a configured JFrog server are available (see Prerequisites).
2. Run jf helm with the Helm subcommand and arguments, adding --build-name and --build-number when supported and needed (see Build Examples).

Synopsis

jf helm <helm-arguments> [options]

Aliases: none

Arguments

Supported Subcommands

All standard Helm commands are supported through jf helm. The following subcommands collect build-info when --build-name and --build-number are provided:

Any Helm command not listed above is passed through to the native Helm client.

Build Options

Build Examples

View Help

jf helm --help

Package a Chart with Build-Info

📘

Prerequisite

: Build-info collection requires a Chart.lock file in the chart directory. Chart.lock is generated when a chart has declared dependencies and you run helm dependency update. Charts with no dependencies do not produce a Chart.lock and build-info collection will fail. If your chart has no dependencies, see the end-to-end example below.

jf helm package ./mychart --build-name=<build-name> --build-number=<build-number>

Where:

• ./mychart is the path to the chart directory (must contain Chart.lock)
• <build-name> is a name for the build (for example, helm-charts)
• <build-number> is a number or identifier for the build run (for example, 1)

For example:

jf helm package ./mychart --build-name=helm-charts --build-number=1

Expected output:

[Info] Running Helm package ./mychart
Successfully packaged chart and saved it to: ./mychart-0.1.0.tgz
[Info] Collecting build info for executed helm package command

End-to-End Example: Package with Dependency

To use jf helm package with build-info on a chart that has dependencies, first declare a dependency in Chart.yaml, then run helm dependency update to generate Chart.lock, and finally package with jf helm:

Step 1 — Declare a dependency in Chart.yaml:

dependencies:
  - name: nginx
    version: "18.x.x"
    repository: "https://charts.bitnami.com/bitnami"

Step 2 — Update dependencies (generates Chart.lock):

helm dependency update ./mychart

Step 3 — Package with build-info:

jf helm package ./mychart --build-name=helm-charts --build-number=1

Push a Chart to OCI Registry

jf helm push mychart-0.1.0.tgz oci://<repo-host>/helm-local --build-name=<build-name> --build-number=<build-number>

Where:

• <repo-host> is your Artifactory hostname (for example, acme.jfrog.io)

For example:

jf helm push mychart-0.1.0.tgz oci://acme.jfrog.io/helm-local --build-name=helm-charts --build-number=1

Update Chart Dependencies with Build-Info

📘

Note

: Build-info collection for dependency update requires that Chart.lock already exists from a prior run. On the very first run against a new chart, Chart.lock does not yet exist and build-info collection will fail with exit code 1 even though the dependencies are downloaded successfully. Run helm dependency update ./mychart once natively to generate Chart.lock, then use jf helm dependency update for subsequent runs.

jf helm dependency update ./mychart --build-name=<build-name> --build-number=<build-number>

Expected output (after Chart.lock exists):

[Info] Running Helm dependency update ./mychart
[Info] Collecting build info for executed helm dependency command

Helm Registry Login

To log in to an Artifactory Helm OCI registry:

1. Ensure a server is configured with jf config add (see Prerequisites).
2. Run jf helm registry login with your registry URL and optional --server-id, --username, or --password (see the examples later in this section).

Synopsis

jf helm registry login <registry-url> [--server-id <id>] [--username <name>] [--password <pwd>]

Logs your local Helm client into an OCI-compatible registry (such as JFrog Artifactory) using credentials managed by JFrog CLI. After a successful login, you can run jf helm push, jf helm pull, and other OCI operations without re-authenticating each time.

Container registries such as Helm OCI repositories require a login before you can perform push and pull operations. This applies to both local development and CI/CD pipelines (for example, Azure DevOps, GitHub Actions).

Arguments

• registry-url (required) — The OCI registry to log into (for example, mycompany.jfrog.io).

Options

• --server-id (optional) — Use a specific configured server.
• --username (optional) — Registry username.
• --password (optional) — Registry password or access token.

When --username and --password are omitted, JFrog CLI uses credentials from the configured server (set via jf config add). This requires the server to be configured with a JWT access token. If your server uses a reference (opaque) token, login will fail with no credentials available for helm registry login. In that case, provide --username explicitly:

jf helm registry login mycompany.jfrog.io --server-id my-jfrog --username <USERNAME>

To check whether your configured server uses a JWT or reference token, run jf config show.

📘

Note

: registry login does not appear in the jf helm --help Supported Commands list but is a fully supported subcommand.

Examples

# Login using configured server credentials
jf helm registry login mycompany.jfrog.io

# Login using a specific server configuration
jf helm registry login mycompany.jfrog.io --server-id my-jfrog

# Login with explicit credentials
jf helm registry login mycompany.jfrog.io --username <USERNAME> --password <PASSWORD>

Important Notes

• No separate config command: Unlike other build tools, Helm does not have a jf helm-config command. Authentication is handled via --server-id or the active server configuration.
• OCI registries: For OCI-based Helm registries (Helm 3.8+), use the oci:// prefix in push/pull commands.
• Build-info: Use --build-name and --build-number to collect chart info, then publish with jf rt build-publish.
• Chart dependencies: jf helm dependency update resolves chart dependencies from Artifactory's Helm repositories.

CI/CD Example (GitHub Actions)

# .github/workflows/build.yml
steps:
  - uses: actions/checkout@v4
  - name: Setup JFrog CLI
    uses: jfrog/setup-jfrog-cli@v4
    env:
      JF_URL: ${{ vars.JF_URL }}
      JF_ACCESS_TOKEN: ${{ secrets.JF_ACCESS_TOKEN }}
  - name: Package Helm chart
    run: jf helm package ./mychart --build-name=helm-charts --build-number=${{ github.run_number }}
  - name: Push Helm chart
    run: jf helm push mychart-0.1.0.tgz oci://acme.jfrog.io/helm-local --build-name=helm-charts --build-number=${{ github.run_number }}
  - name: Publish build info
    run: jf rt build-publish helm-charts ${{ github.run_number }}

CI/CD Example (Azure DevOps)

# azure-pipelines.yml
steps:
  - task: JfrogCliV2@1
    inputs:
      jfrogPlatformConnection: 'JFrog Platform V2'
      command: |
        jf helm registry login mycompany.jfrog.io
        jf helm package ./mychart --build-name=$(Build.DefinitionName) --build-number=$(Build.BuildNumber)
        jf helm push mychart-0.1.0.tgz oci://mycompany.jfrog.io/helm-local --build-name=$(Build.DefinitionName) --build-number=$(Build.BuildNumber)
        jf rt build-publish $(Build.DefinitionName) $(Build.BuildNumber)

Troubleshooting

Enable debug logging: export JFROG_CLI_LOG_LEVEL=DEBUG

Related Topics

• Build Tools Overview — Capabilities matrix and tool reference
• Native Mode — Supported packages with Native Mode