artifactory
helps explain and implement Optum SaaS Artifactory setup, configuration, and migration from CHC Artifactory
Optum SaaS Artifactory Guide
Overview
Optum is migrating from CHC Artifactory to UHG's SaaS Artifactory. CHC Artifactory will be shut down alongside GitLab, with all teams required to migrate by October 2025.
Key Infrastructure
Endpoints
- Push artifacts to:
centraluhg.jfrog.io - Pull artifacts from:
edgeinternal1uhg.optum.com
Access Requirements
- Must be in secure group:
AZU_ARTIFACTORY_USERS - CyberArk vault setup required
- Non-user service accounts with OIDC authentication
- Azure AD integration
Setup Process (7 Steps)
1. Create CyberArk Vault
- Create vault for your aideId if not already existing
- Use "Core Internal" option
- Follow CyberArk setup guide
2. Request Vault Access via Secure
- Use Secure portal
- Filter by aideId to find your vault
- Request access for primary user to view secrets
3. Create Non-User ID in Secure
- Create Non-User ID (service account)
- Add to
AZU_GHEC_USERSgroup - Associate with appropriate vault
4. Retrieve Non-User Password
- Access through Secure Access Workbench (SAW)
- Use PAM request portal
- Requires MS Authenticator MFA
- Login to
cyberark.optum.comto retrieve password
5. Create Non-User Application Mailbox
- Use EUTS Login portal
- Submit ServiceNow request for application mailbox
- Wait for approval and email confirmation
6. Sync Non-User to Azure
Install and configure hcpctl:
brew tap optum-eeps/prm-homebrew https://github.com/optum-eeps/prm-homebrew.git
brew install hcpctl
hcpctl context create --uri https://prm.optum.com prm-prod
hcpctl context use prm-prod
hcpctl login
7. Create SaaS Artifactory Repository
- Login to HCP Console
- Create repository with non-user application mailbox email
- Note the
ad_group_namefor access control
GitHub Actions Integration
Required Permissions
permissions:
actions: read
contents: write
pull-requests: write
security-events: write
checks: write
id-token: write
Example Workflow
name: SaaS Artifactory Build
jobs:
build-deploy:
runs-on: [uhg-runner]
steps:
- uses: actions/checkout@v4
- name: Get Artifactory Access Token
id: jf-saas-setup
uses: uhg-pipelines/epl-jf/configure-saas-connection@32cc2884e616c7c63e028e6e9aa466efb71a9c1c
with:
jfrog-edge-url: https://edgeinternal1uhg.optum.com
jfrog-url: https://centraluhg.jfrog.io
jfrog-project-key: your-project-key
npm-setup: true
- name: Node build and quality scan
uses: optum-eeps/epl-actions/node-build-scan@v1
with:
jfrog-project-key: your-project-key
jfrog-build-name: ${{ steps.jf-saas-setup.outputs.jfrog-build-name }}
jfrog-build-number: ${{ steps.jf-saas-setup.outputs.jfrog-build-number }}
npm-publish: true
EPL Actions & Workflows
Key Actions
- uhg-pipelines/epl-jf/saas-setup
- uhg-pipelines/epl-jf/configure-saas-connection
- uhg-pipelines/epl-jf/promote-artifact
- optum-eeps/epl-actions/node-build-scan
- uhg-pipelines/epl-jf/upload-artifact
- uhg-pipelines/epl-jf/xray-scan
Configure SaaS Connection Action
The uhg-pipelines/epl-jf/configure-saas-connection action is used to establish authenticated connections to Optum's SaaS Artifactory instances. This action configures both the central JFrog instance (centraluhg.jfrog.io) and the edge internal instance (edgeinternal1uhg.optum.com) for artifact operations.
Usage Example
- name: Configure SaaS Artifactory Connection
uses: uhg-pipelines/epl-jf/configure-saas-connection@32cc2884e616c7c63e028e6e9aa466efb71a9c1c
with:
jfrog-project-key: your-project-key
npm-setup: true # Configure npm registry
pip-setup: false # Configure pip registry
yarn-setup: false # Configure yarn registry
terraform-setup: false # Configure Terraform provider
apt-setup: true # Configure apt repositories (default: true)
go-setup: false # Configure Go with GOPROXY
jfrog-url: https://centraluhg.jfrog.io # Default
jfrog-edge-url: https://edgeinternal1uhg.optum.com # Default
central-server-name: jfrog-central # Default
edge-server-name: jfrog-core-edge # Default
edge-node-login-wait-time: '5' # Wait time for edge node login
Available Inputs
- jfrog-project-key: Required for project-specific repositories
- npm-setup: Configure npm to use Artifactory (default: false)
- pip-setup: Configure pip to use Artifactory (default: false)
- yarn-setup: Configure yarn to use Artifactory (default: false)
- terraform-setup: Configure Terraform providers (default: false)
- apt-setup: Configure apt repositories (default: true)
- go-setup: Configure Go with GOPROXY (default: false)
- jfrog-build-name/number: Optional build identifiers
- edge-node-login-wait-time: Seconds to wait for OIDC propagation (default: 5)
Key Outputs
- access-token: OIDC access token
- oidc-subject: OIDC token subject
- jfrog-http-auth: Encoded HTTP auth string
- jfrog-docker-repository: Non-prod Docker repo for project
- jfrog-edge-node: Edge node URL without HTTPS prefix
- Repository suffixes: For npm, maven, pypi, docker, terraform, etc.
Key Features
- OIDC Authentication: Establishes secure OIDC-based authentication with both central and edge nodes
- Multi-Technology Setup: Configures npm, pip, yarn, terraform, apt, and Go package managers
- Docker Registry Login: Automatically logs into both central and edge Docker registries
- Repository Variables: Provides project-specific repository names and suffixes
- Edge Node Synchronization: Includes wait time for OIDC token propagation to edge nodes
- Comprehensive Outputs: Returns all necessary variables for downstream workflow steps
Getting Latest Version with GitHub CLI
To find the latest version of this action using GitHub CLI:
# List all releases/tags for the epl-jf repository
gh api repos/uhg-pipelines/epl-jf/releases --jq '.[].tag_name' | head -10
# Get the latest commit SHA for the configure-saas-connection action
gh api repos/uhg-pipelines/epl-jf/commits/main --jq '.sha'
# Get commits specific to the configure-saas-connection directory
gh api repos/uhg-pipelines/epl-jf/commits \
--field path=configure-saas-connection \
--jq '.[0].sha'
# View the action's metadata
gh api repos/uhg-pipelines/epl-jf/contents/configure-saas-connection/action.yml \
--jq '.content' | base64 -d
Best Practices
- Pin to Specific SHA: Use specific commit SHA instead of branch references for production
- Update Regularly: Check for updates monthly as EPL actions are actively maintained
- Service Connection: Ensure your repository has access to the required service connection
- Project Key: Use consistent project keys across your organization's repositories
Alternative to saas-setup
This action can be used as an alternative or complement to saas-setup action, depending on your specific authentication and configuration requirements.
Promote Artifact Action
The uhg-pipelines/epl-jf/promote-artifact action enables promotion of artifacts between repositories in JFrog Artifactory. This is essential for moving artifacts through different environments (dev → staging → prod) or promoting to global shared repositories.
Usage Example
- name: Promote Artifact to Global Repository
uses: uhg-pipelines/epl-jf/promote-artifact@latest
with:
jfrog-url: https://centraluhg.jfrog.io # Default
jfrog-token: ${{ steps.auth.outputs.access-token }}
jfrog-repository-type: npm # One of: npm, pypi, maven, scala, generic, terraform
jfrog-artifact-name: '@your-org/your-package'
jfrog-artifact-version: '1.2.3' # Required for npm, maven, pypi
jfrog-source-repository: your-project-npm-np-loc
jfrog-target-repository: glb-npm-global-loc
Supported Repository Types
- npm: Node.js packages
- pypi: Python packages
- maven: Java/Maven artifacts
- scala: Scala packages
- generic: Generic file artifacts
- terraform: Terraform modules/providers
Required Inputs
- jfrog-token: Authentication token (typically from OIDC setup)
- jfrog-repository-type: Must be one of the supported types
- jfrog-artifact-name: Full artifact name/identifier
- jfrog-source-repository: Source repository name
- jfrog-target-repository: Destination repository name
Optional Inputs
- jfrog-url: Artifactory URL (defaults to
https://centraluhg.jfrog.io) - jfrog-artifact-version: Version/tag (required for npm, maven, pypi)
Common Promotion Patterns
# Promote to global shared repository
jfrog-source-repository: myproject-npm-np-loc
jfrog-target-repository: glb-npm-global-loc
# Promote from non-prod to prod
jfrog-source-repository: myproject-npm-np-loc
jfrog-target-repository: myproject-npm-prod-loc
# Promote generic artifacts
jfrog-repository-type: generic
jfrog-artifact-name: my-binary-v1.0.0.tar.gz
# No version required for generic artifacts
Best Practices
- Use with EPL Workflows: Combine with promotion workflows for automated pipelines
- Version Pinning: Always specify exact versions for reproducible promotions
- Access Control: Ensure proper permissions for both source and target repositories
- Validation: Verify artifact exists in source before attempting promotion
Getting Latest Version
# Get latest commit for promote-artifact action
gh api repos/uhg-pipelines/epl-jf/commits/main \
--field path=promote-artifact \
--jq '.[0].sha'
# View action documentation
gh api repos/uhg-pipelines/epl-jf/contents/promote-artifact/README.md \
--jq '.content' | base64 -d
Reusable Workflows
- Node CI
- Repository must be claimed in Source Code Manager
Artifact Promotion
Global Promotion Workflow
name: Promote to Global NPM repository
on:
workflow_dispatch:
inputs:
version:
description: "Module version (leave blank for package.json value)"
required: false
type: string
permissions: write-all
jobs:
node-promotion:
uses: uhg-pipelines/privileged-workflows/.github/workflows/promote-npm-artifact.yaml@v1
with:
artifact-name: '@your-org/your-package'
artifact-version: ${{ inputs.version }}
jfrog-project-key: your-project-key
promotion-type: global
Local Development Setup
Technology-Specific Setup
- Node.js: NPM setup guide
- Python: Python setup guide
- Java/Gradle: Gradle setup guide
- Go: Go setup guide
Migration Considerations
Important Notes
- No automatic migration: Artifacts must be manually migrated from CHC
- First installs may fail: Common for
npm installorpip installto fail initially - Retention policies: Apply to all published and promoted artifacts
- Access control: Users need
ad_group_namerole for private repositories
Timeline
- Deadline: October 2025 (CHC Artifactory shutdown)
- Current Status: Active migration period
- Support: Available through Artifactory Office Hours
Troubleshooting
Common Issues
- Authentication failures: Verify OIDC setup and Azure sync
- First install failures: Retry - initial installs commonly fail
- Access denied: Check
AZU_ARTIFACTORY_USERSgroup membership - Repository not found: Verify repository creation and naming
Support Resources
- Official Documentation
- AppSec Artifactory Overview
- Artifactory Office Hours (see Dojo360 for schedule)
- HCP Console

