Try JFrog
Guides
Contact SupportTry JFrog
Start typing to search…
  1. Release Lifecycle Management

Release Lifecycle Management Setup

The setup process for Release Lifecycle Management consists of the following steps:

  1. Configure Stages and the Lifecycle
  2. [Enterprise+] Connecting Distribution Edges (optional)
  3. Create signing keys
  4. [Enterprise+] Propagating signing keys
  5. Configure Release Bundle webhooks (optional)
  6. Configure Release Bundle promotion webhooks (optional)
📘

Note

For setup instructions when using JFrog Security to scan Release Bundles for vulnerabilities, see Scan Release Bundle v2 Versions with Xray.

Configure Stages and the Lifecycle

The lifecycle represents the stages that make up the SDLC for your releases. You can configure a lifecycle for each project in your organization or use a single global lifecycle for all projects.

To configure stages and the lifecycle, follow the instructions described in Stages & Lifecycle.

Connect Distribution Edges to the Platform

To connect Distribution Edges to the JFrog platform, follow the instructions described in Add an Edge Node.

Create Signing Keys for Release Bundles v2

When working with Release Bundles v2, you can take the same signing key added to Artifactory to create and promote the Release Bundle and use it in Distribution to distribute the Release Bundle (Enterprise+ only).

❗️

Important

Starting with Artifactory 7.101.2, Artifactory will create and use a default key (called default-lifecycle-key) if signing keys are not specified during Release Bundle v2 creation.

To generate and upload signing keys for Artifactory (used to create and promote Release Bundles), follow the instructions described in Generate GPG Keys and Upload and Deploy GPG Keys. Examples are provided below.

Generating GPG with RSA key (key size = 2048 bits)

# Generate GPG key pair with a passphrase:
#
gpg --full-generate-key

# Please select what kind of key you want:
#
# >  Select "(1) RSA and RSA" by entering "1".

# RSA keys may be between 1024 and 4096 bits long.
# What keysize do you want? (3072)
#
# >  Enter "2048"

# Please specify how long the key should be valid.
#
# >  Enter "0"

# Is this correct? (y/N)
#
# >  Enter "y"

# GnuPG needs to construct a user ID to identify your key.
#
# Real name:
#
# >  Enter "{your-key-id}"
#
# Email address:
#
# >  Enter "{your-email}"
#
# Comment:
#
# >  Enter "{your-comment}"
#
# Change (N) ame, (C) omment, (E) mail or (O) kay/(Q) uit?
#
# >  Enter "o"
📘

Note

You may specify a passphrase to use together with the signing keys.

Exporting GPG keys

# Export the private key with the specified id to a file:
#
gpg --output {private-key-output-file} --armor --export-secret-keys {your-key-id}
 
# Export the public key with the specified id to a file:
#
gpg --output {public-key-output-file} --armor --export {your-key-id}

Propagate Signing Keys

Use the Propagate Public Signing Key REST API to take the signing key for Release Bundles v2 versions defined in Artifactory and propagate it to:

  • The trusted list of Edge nodes to which the Release Bundle versions will be distributed. Using this API eliminates the need to add the key manually to each Edge node one by one.
  • The list of trusted public keys stored in the source Artifactory. This is needed when working in an Air Gap environment.
trusted_public-keys.png

Configure Release Bundle Webhooks (optional)

Administrators can create webhooks that are triggered by Release Bundle v2 creation events. When a webhook is triggered, it sends relevant information about the event to a web location that is listening for that specific event notification. Webhooks enables you to integrate Release Bundle v2 creation with third-party applications that are also essential to your release lifecycle process.

To configure Release Bundle v2 webhooks:

  1. In the Administration module, select General > Webhooks.

  2. Enter a name and description for the webhook.

  3. Enter the URL that the webhook should invoke.

  4. Under Events, select Release Bundle V2 and then select one or more of the following events:

    • Release Bundle creation started
    • Release Bundle creation failed
    • Release Bundle creation completed

  5. In the Add Release Bundles window, do one of the following:

    • Select Any Release Bundle to include all Release Bundles in this webhook.
    • Choose which Release Bundles to include. Click Save when finished.

  6. Define the secret token used for authentication.

  7. Select the Use secret for payload signing checkbox, if required for validating incoming webhook calls.

  8. Define custom headers, if required.

  9. Click Create.

For more information, see Webhooks.

Configure Release Bundle Promotion Webhooks (optional)

Administrators can create webhooks that are triggered by Release Bundle v2 promotion-related events. When a webhook is triggered, it sends relevant information about the event to a web location that is listening for that specific event notification. Webhooks enables you to integrate Release Bundle v2 promotions with third-party applications that are also essential to your release lifecycle process.

To configure Release Bundle v2 promotion webhooks:

  1. In the Administration tab, select General > Webhooks.

  2. Enter a name and description for the webhook.

  3. Enter the URL that the webhook should invoke.

  4. Under Events, select Promotion and then select one or more of the following events:

    • Release Bundle promotion started
    • Release Bundle promotion failed
    • Release Bundle promotion completed

  5. In the Add Environments window, select the environments to which the webhook should apply, and click Save.

    add_environment_to-webhook.png

  6. Define the secret token used for authentication.

  7. Select the Use secret for payload signing checkbox, if required for validating incoming webhook calls.

  8. Define custom headers, if required.

  9. Click Create.

For more information, see Webhooks.

Updated 22 days ago