Skip to content

optum-artifactory

Comprehensive instructions for Optum SaaS Artifactory implementation, authentication, golden container images, and CI/CD integration. Ensures compliance with enterprise security, governance, and supply chain requirements.

IDE:
claude
codex
vscode
Version:
0.0.0

Optum SaaS Artifactory Instructions

Your Mission

As GitHub Copilot, you are an expert in Optum's SaaS Artifactory implementation and containerization standards. Your goal is to guide developers in:

  1. Migrating from CHC Artifactory to SaaS Artifactory
  2. Implementing OIDC authentication workflows
  3. Using golden container images for compliance
  4. Building secure CI/CD pipelines with EPL actions
  5. Managing artifact promotion and dependency resolution

Core Infrastructure Overview

SaaS Artifactory Endpoints

  • Push artifacts to: centraluhg.jfrog.io
  • Pull artifacts from: edgeinternal1uhg.optum.com
  • Golden Images: edgeinternal1uhg.optum.com:443/glb-docker-uhg-loc/uhg-goldenimages/

Migration Context

  • CHC Artifactory shutdown: Coincides with GitLab shutdown (October 2025)
  • No automatic migration: Artifacts must be manually migrated
  • Active transition period: All teams must migrate by deadline

Authentication & Access Control

Required Access Groups

  • AZU_ARTIFACTORY_USERS: Required for SaaS Artifactory access
  • AZU_GHEC_USERS: Required for non-user service accounts

GitHub Actions Integration

Required Permissions

permissions:
  actions: read
  contents: write
  pull-requests: write
  security-events: write
  checks: write
  id-token: write  # Critical for OIDC authentication

Key EPL Actions

1. configure-saas-connection

- name: Configure SaaS Artifactory Connection
  uses: uhg-pipelines/epl-jf/configure-saas-connection@latest
  with:
    jfrog-project-key: your-project-key
    npm-setup: true          # Configure npm registry
    pip-setup: false         # Configure pip registry
    yarn-setup: false        # Configure yarn registry
    terraform-setup: false   # Configure Terraform providers
    apt-setup: true          # Configure apt repositories (default)
    go-setup: false          # Configure Go with GOPROXY
    edge-node-login-wait-time: '5'  # OIDC propagation wait time

Outputs Available:

  • access-token: OIDC access token
  • oidc-subject: OIDC token subject
  • jfrog-http-auth: Encoded HTTP auth string
  • jfrog-docker-repository: Project-specific Docker repo
  • Repository suffixes for all technology types

2. promote-artifact

- name: Promote Artifact to Global Repository
  uses: uhg-pipelines/epl-jf/promote-artifact@latest
  with:
    jfrog-token: ${{ steps.auth.outputs.access-token }}
    jfrog-repository-type: npm  # npm, pypi, maven, scala, generic, terraform
    jfrog-artifact-name: '@your-org/your-package'
    jfrog-artifact-version: '1.2.3'  # Required for npm, maven, pypi
    jfrog-source-repository: your-project-npm-np-loc
    jfrog-target-repository: glb-npm-global-loc

3. saas-setup (Legacy)

- name: Get Artifactory Access Token
  id: jf-saas-setup
  uses: uhg-pipelines/epl-jf/configure-saas-connection@32cc2884e616c7c63e028e6e9aa466efb71a9c1c
  with:
    jfrog-edge-url: https://edgeinternal1uhg.optum.com
    jfrog-url: https://centraluhg.jfrog.io
    jfrog-project-key: your-project-key
    npm-setup: true

Complete Workflow Example

name: Build and Publish with SaaS Artifactory
on:
  push:
    branches: [main]

permissions:
  actions: read
  contents: write
  pull-requests: write
  security-events: write
  checks: write
  id-token: write

jobs:
  build-publish:
    runs-on: [uhg-runner]
    steps:
      - uses: actions/checkout@v4

      - name: Configure Artifactory Connection
        id: artifactory-setup
        uses: uhg-pipelines/epl-jf/configure-saas-connection@latest
        with:
          jfrog-project-key: your-project-key
          npm-setup: true

      - name: Setup Node.js
        uses: actions/setup-node@v4
        with:
          node-version: 18.x

      - name: Build and Scan
        uses: optum-eeps/epl-actions/node-build-scan@v1
        with:
          jfrog-project-key: your-project-key
          jfrog-build-name: ${{ steps.artifactory-setup.outputs.jfrog-build-name }}
          jfrog-build-number: ${{ steps.artifactory-setup.outputs.jfrog-build-number }}
          npm-publish: true

Golden Container Images

Golden Image Mandate

  • Principle: ALL containers MUST use Optum-approved golden images
  • Registry: edgeinternal1uhg.optum.com:443/glb-docker-uhg-loc/uhg-goldenimages/
  • Chain Guard Vetted: Images include SBOM, vulnerability scanning, and attestation

Available Golden Images

Application Platforms

# Node.js
FROM edgeinternal1uhg.optum.com:443/glb-docker-uhg-loc/uhg-goldenimages/node/dev:18

# Python
FROM edgeinternal1uhg.optum.com:443/glb-docker-uhg-loc/uhg-goldenimages/python/dev:3.11

# Java (Amazon Corretto)
FROM edgeinternal1uhg.optum.com:443/glb-docker-uhg-loc/uhg-goldenimages/amazon-corretto-jdk/dev:17

# .NET
FROM edgeinternal1uhg.optum.com:443/glb-docker-uhg-loc/uhg-goldenimages/dotnet-sdk/dev:8.0

Infrastructure & Tools

  • nginx: Web server and reverse proxy
  • postgres: PostgreSQL database
  • mysql: MySQL database
  • kafka: Apache Kafka message broker
  • elasticsearch: Search and analytics engine
  • prometheus: Monitoring and alerting
  • grafana: Metrics visualization
  • vault: Secrets management

Multi-Stage Build Pattern

# Build stage using golden image
FROM edgeinternal1uhg.optum.com:443/glb-docker-uhg-loc/uhg-goldenimages/node/dev:18 AS builder
WORKDIR /app
COPY package*.json ./
RUN npm ci --only=production

# Production stage using minimal golden image
FROM edgeinternal1uhg.optum.com:443/glb-docker-uhg-loc/uhg-goldenimages/node/dev:18-slim AS production
WORKDIR /app
COPY --from=builder /app/node_modules ./node_modules
COPY src/ ./src/

# Security: Create non-root user
RUN addgroup -S appgroup && adduser -S appuser -G appgroup
RUN chown -R appuser:appgroup /app
USER appuser

EXPOSE 3000
HEALTHCHECK --interval=30s --timeout=3s --start-period=5s --retries=3 \
  CMD curl --fail http://localhost:3000/health || exit 1
CMD ["node", "src/main.js"]

Local Development Setup

Technology-Specific Configuration

Node.js/NPM

# Configure npm to use SaaS Artifactory
npm config set registry https://edgeinternal1uhg.optum.com/artifactory/api/npm/glb-npm-vir/
npm config set @your-org:registry https://edgeinternal1uhg.optum.com/artifactory/api/npm/your-project-npm-virtual-loc/

# Authentication via .npmrc
//edgeinternal1uhg.optum.com/artifactory/api/npm/glb-npm-vir/:_authToken=${NPM_TOKEN}

Python/Pip

# Configure pip via pip.conf or pip.ini
[global]
index-url = https://edgeinternal1uhg.optum.com/artifactory/api/pypi/glb-pypi-virtual/simple
trusted-host = edgeinternal1uhg.optum.com

Java/Maven

<!-- settings.xml configuration -->
<servers>
  <server>
    <id>artifactory</id>
    <username>${env.ARTIFACTORY_USER}</username>
    <password>${env.ARTIFACTORY_TOKEN}</password>
  </server>
</servers>
<repositories>
  <repository>
    <id>artifactory</id>
    <url>https://edgeinternal1uhg.optum.com/artifactory/glb-maven-virtual</url>
  </repository>
</repositories>

Repository Management

Repository Naming Conventions

  • Project Repositories: {project-key}-{tech}-{env}-loc
    • Example: harmony-npm-np-loc (non-prod)
    • Example: harmony-npm-prod-loc (production)
  • Global Repositories: glb-{tech}-{type}
    • Example: glb-npm-global-loc
    • Example: glb-docker-virtual

Promotion Patterns

# Development to Global
source: your-project-npm-np-loc
target: glb-npm-global-loc

# Non-Prod to Production
source: your-project-npm-np-loc
target: your-project-npm-prod-loc

# Global Shared Access
target: glb-npm-vir  # Virtual repository aggregating all sources

Access Control

  • Repository-Specific: Use ad_group_name from repository JSON view
  • Global Repositories: Available to all authenticated users
  • Project Repositories: Require specific group membership

Security & Compliance

Supply Chain Security

  • Chain Guard Attestation: All golden images include supply chain verification
  • SBOM Generation: Software Bill of Materials for all components
  • Vulnerability Scanning: Continuous monitoring via Xray
  • Policy Enforcement: Automated policy checks in CI/CD

Image Scanning Integration

- name: Scan Container Image
  uses: uhg-pipelines/epl-jf/xray-scan@latest
  with:
    jfrog-project-key: your-project-key
    image-name: ${{ env.IMAGE_NAME }}
    fail-on-critical: true

Secrets Management

  • Never embed secrets in container images or Dockerfiles
  • Use CyberArk for secret storage and retrieval
  • OIDC tokens for ephemeral authentication
  • Environment variables for runtime configuration

Troubleshooting & Best Practices

Common Issues

  1. First Install Failures: npm/pip installs commonly fail initially - retry
  2. OIDC Token Propagation: Allow 5+ seconds for edge node synchronization
  3. Access Denied: Verify group memberships and repository permissions
  4. Authentication Failures: Check OIDC setup and Azure sync status

Best Practices

  • Pin to specific SHAs for production workflows
  • Use EPL actions instead of custom implementations
  • Repository claiming in Source Code Manager required
  • Regular updates of golden images and EPL actions
  • Multi-stage builds to minimize final image size
  • Non-root users for container security

Getting Latest Versions

# EPL action versions
gh api repos/uhg-pipelines/epl-jf/releases --jq '.[].tag_name' | head -5

# Specific action commits
gh api repos/uhg-pipelines/epl-jf/commits/main --field path=configure-saas-connection --jq '.[0].sha'

# Golden image tags
docker search edgeinternal1uhg.optum.com:443/glb-docker-uhg-loc/uhg-goldenimages/node

Support Resources

Implementation Checklist

CI/CD Pipeline

  • Workflow permissions include id-token: write
  • EPL actions configured with proper project keys
  • Golden images specified in all Dockerfiles
  • Security scanning integrated
  • Artifact promotion workflows defined

Local Development

  • Package managers configured for SaaS Artifactory
  • Authentication tokens configured
  • Golden image access verified
  • Local build/test workflows validated