Skip to content

github-workflows-dojo360-publish

Build and publish artifacts to SaaS Artifactory using OIDC (images, packages), with optional promotion to global repositories

active
IDE:
claude
codex
vscode
Version:
1.0.0
Owner:pcorazao
github-actions
workflow
dojo360

Publish Workflow Skill

Overview

This skill covers common patterns for publishing build artifacts to Optum SaaS Artifactory using GitHub Actions.

Dojo360 includes a publish.yml workflow. For new implementations, the recommended approach is to use EPL actions (Artifactory OIDC + build/scan/publish actions) and/or the UHG reusable CI workflows that already include scanning and publishing options.

Workflow Reference

Legacy (Dojo360)

Repository: dojo360/pipelines-workflows
Workflow: .github/workflows/publish.yml
Docs: https://github.com/dojo360/pipelines-workflows/tree/main/web/publish/index.md

Recommended (Optum / UHG)

  • Artifactory OIDC bootstrap: uhg-pipelines/epl-jf/configure-saas-connection@latest
  • Promotion: uhg-pipelines/epl-jf/promote-artifact@latest
  • Language build/scan/publish (example): optum-eeps/epl-actions/node-build-scan@v1
  • Docker build/publish (example reusable workflow): uhg-pipelines/ci-workflows/.github/workflows/docker-ci.yml@v2

Key Features

  • OIDC-based authentication to SaaS Artifactory (no long-lived tokens in GitHub Secrets)
  • Publish packages/images to project repositories (non-prod or prod depending on repo policy)
  • Optional promotion from project repos to global repos
  • Works with multiple artifact types (npm, docker, etc.)

Prerequisites

  • You have a valid jfrog-project-key
  • Your repo is allowed to publish the artifact type (npm, docker, etc.)
  • For Docker builds: base images must be Optum golden images (no public Docker Hub base images)

Required Permissions

Most publish flows need at least:

  • permissions: id-token: write (OIDC)
  • permissions: contents: read

Some orgs also require security-events: write / checks: write for scanners.

Templates

See ready-to-copy examples in .github/skills/github-workflows-dojo360-publish/templates/:

  • publish-npm-package.yml
  • publish-docker-image.yml
  • promote-npm-artifact.yml

Notes / Gotchas

  • SaaS Artifactory endpoints:
    • Push: centraluhg.jfrog.io
    • Pull: edgeinternal1uhg.optum.com
  • Avoid embedding secrets in workflow YAML; use OIDC (configure-saas-connection) wherever possible.

Related Assets