Aligning repositories with your catalog
For a catalog to add value, it must be used by the software developers at your organization. This article covers how a catalog should be used and best practices for encouraging adoption.
About catalog alignment
The most common way to measure success with a catalog is to track alignment with the catalog. Your development team’s repositories should be routinely scanned to ensure that they are aligned with the catalog, meaning that all package releases in their repository are also in the organization’s catalog.
When you begin using Tidelift, you can get a benchmark alignment score for each repository and work to bring those scores up to 100% over time. While this may be easier for smaller or newer projects, it may take longer to get legacy projects fully aligned with the catalog. After a certain period of time, we recommend blocking builds in your CI/CD pipeline if they are not aligned with the Tidelift catalog.
Checking alignment from the command line
Interacting with your organization’s catalog is made easier for developers with the Tidelift command line tool. Complete documentation for the can be found here.
The primary means for developers to use the catalog from the command line are tidelift align and tidelift request.
Running tidelift align in the working directory of a repository enables developers to check how many package releases within their branch are currently approved in the organization’s catalog.
With 100% alignment, a developer can be confident that they will not be blocked at deployment by any issues in their packages. With anything less than 100% alignment, a developer should be sure to request approval on new package releases, or migrate to already-approved releases of the packages they are using.
Running tidelift request allows developers to request approval for a package release directly from the command line. These requests will then be generated as package requests for the manager to review.
Checking for catalog alignment into CI/CD workflow
If you already have a CI/CD pipeline setup, it is straightforward to insert a Tidelift alignment check as a step in the pipeline. See our workflow integration docs, for examples on how to connect Tidelift into your CI/CD workflow. You can configure CI/CD using either our API or CI tool.
We recommend checking for catalog alignment on every new build. We also check each repository for catalog alignment nightly.
When a CI/CD check fails, developers will receive a link to Tidelift so that they can see next steps, such as switching to alternate releases or requesting for a release to be added.
If you’re configuring CI/CD with the Tidelift CLI, you should use the tidelift scan command.
Note: The primary difference between tidelift scan and tidelift align is that the history of tidelift scan is stored in the UI and we monitor alignment activity over time. Tidelift align is intended for quick alignment checks and the results are not stored.
Integrating your artifact manager with JFrog Artifactory
If you are using JFrog Artifactory version 7 as your artifact manager and want an additional layer of assurance, you can sync your catalog’s package release availability back to JFrog Artifactory. This ensures that denied package releases cannot be retrieved at all and may be useful in instances when a CI/CD pipeline is not being used or is being subverted.
For more information on integrating with JFrog Artifactory, see integrating with JFrog Artifactory. If you are using an older version of JFrog Artifactory, please contact email@example.com.