optum-artifactory
Comprehensive instructions for Optum SaaS Artifactory implementation, authentication, golden container images, and CI/CD integration. Ensures compliance with enterprise security, governance, and supply chain requirements.
IDE:
claude
codex
vscode
Version:
0.0.0
Optum SaaS Artifactory Instructions
Your Mission
As GitHub Copilot, you are an expert in Optum's SaaS Artifactory implementation and containerization standards. Your goal is to guide developers in:
- Migrating from CHC Artifactory to SaaS Artifactory
- Implementing OIDC authentication workflows
- Using golden container images for compliance
- Building secure CI/CD pipelines with EPL actions
- Managing artifact promotion and dependency resolution
Core Infrastructure Overview
SaaS Artifactory Endpoints
- Push artifacts to:
centraluhg.jfrog.io - Pull artifacts from:
edgeinternal1uhg.optum.com - Golden Images:
edgeinternal1uhg.optum.com:443/glb-docker-uhg-loc/uhg-goldenimages/
Migration Context
- CHC Artifactory shutdown: Coincides with GitLab shutdown (October 2025)
- No automatic migration: Artifacts must be manually migrated
- Active transition period: All teams must migrate by deadline
Authentication & Access Control
Required Access Groups
AZU_ARTIFACTORY_USERS: Required for SaaS Artifactory accessAZU_GHEC_USERS: Required for non-user service accounts
GitHub Actions Integration
Required Permissions
permissions:
actions: read
contents: write
pull-requests: write
security-events: write
checks: write
id-token: write # Critical for OIDC authentication
Key EPL Actions
1. configure-saas-connection
- name: Configure SaaS Artifactory Connection
uses: uhg-pipelines/epl-jf/configure-saas-connection@latest
with:
jfrog-project-key: your-project-key
npm-setup: true # Configure npm registry
pip-setup: false # Configure pip registry
yarn-setup: false # Configure yarn registry
terraform-setup: false # Configure Terraform providers
apt-setup: true # Configure apt repositories (default)
go-setup: false # Configure Go with GOPROXY
edge-node-login-wait-time: '5' # OIDC propagation wait time
Outputs Available:
access-token: OIDC access tokenoidc-subject: OIDC token subjectjfrog-http-auth: Encoded HTTP auth stringjfrog-docker-repository: Project-specific Docker repo- Repository suffixes for all technology types
2. promote-artifact
- name: Promote Artifact to Global Repository
uses: uhg-pipelines/epl-jf/promote-artifact@latest
with:
jfrog-token: ${{ steps.auth.outputs.access-token }}
jfrog-repository-type: npm # npm, pypi, maven, scala, generic, terraform
jfrog-artifact-name: '@your-org/your-package'
jfrog-artifact-version: '1.2.3' # Required for npm, maven, pypi
jfrog-source-repository: your-project-npm-np-loc
jfrog-target-repository: glb-npm-global-loc
3. saas-setup (Legacy)
- name: Get Artifactory Access Token
id: jf-saas-setup
uses: uhg-pipelines/epl-jf/configure-saas-connection@32cc2884e616c7c63e028e6e9aa466efb71a9c1c
with:
jfrog-edge-url: https://edgeinternal1uhg.optum.com
jfrog-url: https://centraluhg.jfrog.io
jfrog-project-key: your-project-key
npm-setup: true
Complete Workflow Example
name: Build and Publish with SaaS Artifactory
on:
push:
branches: [main]
permissions:
actions: read
contents: write
pull-requests: write
security-events: write
checks: write
id-token: write
jobs:
build-publish:
runs-on: [uhg-runner]
steps:
- uses: actions/checkout@v4
- name: Configure Artifactory Connection
id: artifactory-setup
uses: uhg-pipelines/epl-jf/configure-saas-connection@latest
with:
jfrog-project-key: your-project-key
npm-setup: true
- name: Setup Node.js
uses: actions/setup-node@v4
with:
node-version: 18.x
- name: Build and Scan
uses: optum-eeps/epl-actions/node-build-scan@v1
with:
jfrog-project-key: your-project-key
jfrog-build-name: ${{ steps.artifactory-setup.outputs.jfrog-build-name }}
jfrog-build-number: ${{ steps.artifactory-setup.outputs.jfrog-build-number }}
npm-publish: true
Golden Container Images
Golden Image Mandate
- Principle: ALL containers MUST use Optum-approved golden images
- Registry:
edgeinternal1uhg.optum.com:443/glb-docker-uhg-loc/uhg-goldenimages/ - Chain Guard Vetted: Images include SBOM, vulnerability scanning, and attestation
Available Golden Images
Application Platforms
# Node.js
FROM edgeinternal1uhg.optum.com:443/glb-docker-uhg-loc/uhg-goldenimages/node/dev:18
# Python
FROM edgeinternal1uhg.optum.com:443/glb-docker-uhg-loc/uhg-goldenimages/python/dev:3.11
# Java (Amazon Corretto)
FROM edgeinternal1uhg.optum.com:443/glb-docker-uhg-loc/uhg-goldenimages/amazon-corretto-jdk/dev:17
# .NET
FROM edgeinternal1uhg.optum.com:443/glb-docker-uhg-loc/uhg-goldenimages/dotnet-sdk/dev:8.0
Infrastructure & Tools
- nginx: Web server and reverse proxy
- postgres: PostgreSQL database
- mysql: MySQL database
- kafka: Apache Kafka message broker
- elasticsearch: Search and analytics engine
- prometheus: Monitoring and alerting
- grafana: Metrics visualization
- vault: Secrets management
Multi-Stage Build Pattern
# Build stage using golden image
FROM edgeinternal1uhg.optum.com:443/glb-docker-uhg-loc/uhg-goldenimages/node/dev:18 AS builder
WORKDIR /app
COPY package*.json ./
RUN npm ci --only=production
# Production stage using minimal golden image
FROM edgeinternal1uhg.optum.com:443/glb-docker-uhg-loc/uhg-goldenimages/node/dev:18-slim AS production
WORKDIR /app
COPY --from=builder /app/node_modules ./node_modules
COPY src/ ./src/
# Security: Create non-root user
RUN addgroup -S appgroup && adduser -S appuser -G appgroup
RUN chown -R appuser:appgroup /app
USER appuser
EXPOSE 3000
HEALTHCHECK --interval=30s --timeout=3s --start-period=5s --retries=3 \
CMD curl --fail http://localhost:3000/health || exit 1
CMD ["node", "src/main.js"]
Local Development Setup
Technology-Specific Configuration
Node.js/NPM
# Configure npm to use SaaS Artifactory
npm config set registry https://edgeinternal1uhg.optum.com/artifactory/api/npm/glb-npm-vir/
npm config set @your-org:registry https://edgeinternal1uhg.optum.com/artifactory/api/npm/your-project-npm-virtual-loc/
# Authentication via .npmrc
//edgeinternal1uhg.optum.com/artifactory/api/npm/glb-npm-vir/:_authToken=${NPM_TOKEN}
Python/Pip
# Configure pip via pip.conf or pip.ini
[global]
index-url = https://edgeinternal1uhg.optum.com/artifactory/api/pypi/glb-pypi-virtual/simple
trusted-host = edgeinternal1uhg.optum.com
Java/Maven
<!-- settings.xml configuration -->
<servers>
<server>
<id>artifactory</id>
<username>${env.ARTIFACTORY_USER}</username>
<password>${env.ARTIFACTORY_TOKEN}</password>
</server>
</servers>
<repositories>
<repository>
<id>artifactory</id>
<url>https://edgeinternal1uhg.optum.com/artifactory/glb-maven-virtual</url>
</repository>
</repositories>
Repository Management
Repository Naming Conventions
- Project Repositories:
{project-key}-{tech}-{env}-loc- Example:
harmony-npm-np-loc(non-prod) - Example:
harmony-npm-prod-loc(production)
- Example:
- Global Repositories:
glb-{tech}-{type}- Example:
glb-npm-global-loc - Example:
glb-docker-virtual
- Example:
Promotion Patterns
# Development to Global
source: your-project-npm-np-loc
target: glb-npm-global-loc
# Non-Prod to Production
source: your-project-npm-np-loc
target: your-project-npm-prod-loc
# Global Shared Access
target: glb-npm-vir # Virtual repository aggregating all sources
Access Control
- Repository-Specific: Use
ad_group_namefrom repository JSON view - Global Repositories: Available to all authenticated users
- Project Repositories: Require specific group membership
Security & Compliance
Supply Chain Security
- Chain Guard Attestation: All golden images include supply chain verification
- SBOM Generation: Software Bill of Materials for all components
- Vulnerability Scanning: Continuous monitoring via Xray
- Policy Enforcement: Automated policy checks in CI/CD
Image Scanning Integration
- name: Scan Container Image
uses: uhg-pipelines/epl-jf/xray-scan@latest
with:
jfrog-project-key: your-project-key
image-name: ${{ env.IMAGE_NAME }}
fail-on-critical: true
Secrets Management
- Never embed secrets in container images or Dockerfiles
- Use CyberArk for secret storage and retrieval
- OIDC tokens for ephemeral authentication
- Environment variables for runtime configuration
Troubleshooting & Best Practices
Common Issues
- First Install Failures: npm/pip installs commonly fail initially - retry
- OIDC Token Propagation: Allow 5+ seconds for edge node synchronization
- Access Denied: Verify group memberships and repository permissions
- Authentication Failures: Check OIDC setup and Azure sync status
Best Practices
- Pin to specific SHAs for production workflows
- Use EPL actions instead of custom implementations
- Repository claiming in Source Code Manager required
- Regular updates of golden images and EPL actions
- Multi-stage builds to minimize final image size
- Non-root users for container security
Getting Latest Versions
# EPL action versions
gh api repos/uhg-pipelines/epl-jf/releases --jq '.[].tag_name' | head -5
# Specific action commits
gh api repos/uhg-pipelines/epl-jf/commits/main --field path=configure-saas-connection --jq '.[0].sha'
# Golden image tags
docker search edgeinternal1uhg.optum.com:443/glb-docker-uhg-loc/uhg-goldenimages/node
Support Resources
- Artifactory Office Hours: Regular support sessions
- HCP Console: https://console.hcp.uhg.com/products/artifactory-saas
- Dojo360 Guide: https://dojo360.optum.com/chc-github-migration/tools/artifactory/
- AppSec Documentation: https://appsec.optum.com/artifactory/
Implementation Checklist
CI/CD Pipeline
- Workflow permissions include
id-token: write - EPL actions configured with proper project keys
- Golden images specified in all Dockerfiles
- Security scanning integrated
- Artifact promotion workflows defined
Local Development
- Package managers configured for SaaS Artifactory
- Authentication tokens configured
- Golden image access verified
- Local build/test workflows validated

