Merge pull request #6 from buildkite-plugins/feat/artifactory_SUP-4303

Add support for JFrog Artifactory

Author: scadu

README.md

@@ -6,6 +6,7 @@ Supported providers:
 - Amazon Elastic Container Registry (ECR)
 - Google Artifact Registry (GAR)
 - Buildkite Packages Container Registry
+- Artifactory Docker Registry
 
 ## Options
 
@@ -15,7 +16,7 @@ These are all the options available to configure this plugin's behaviour.
 
 #### `provider` (string)
 
-The registry provider to use. Supported values: `ecr`, `gar`, `buildkite`.
+The registry provider to use. Supported values: `ecr`, `gar`, `buildkite`, `artifactory`.
 
 #### `image` (string)
 
@@ -82,6 +83,22 @@ Authentication method to use. Supported values: `api-token`, `oidc`.
 
 The Buildkite API token with Read Packages and Write Packages scopes. Required when `auth-method` is `api-token`. Can also be provided via the `BUILDKITE_API_TOKEN` environment variable for backward compatibility.
 
+### Artifactory Provider Options
+
+**Note:** Authentication requires a username (typically email) and identity token from your Artifactory instance.
+
+#### `registry-url` (string)
+
+The Artifactory registry URL (e.g., `myjfroginstance.jfrog.io`). Do not include the protocol (`https://`).
+
+#### `username` (string)
+
+The username for Artifactory authentication, typically your email address.
+
+#### `identity-token` (string)
+
+The Artifactory identity token for authentication. Can reference an environment variable using `$VARIABLE_NAME` syntax.
+
 ## Examples
 
 ### Push to Amazon ECR
@@ -92,7 +109,7 @@ This example pushes an image to an ECR repository.
 steps:
   - label: ":docker: Build and Push"
     plugins:
-      - docker-image-push#v1.0.0:
+      - docker-image-push#v1.0.1:
           provider: ecr
           image: my-app
           ecr:
@@ -108,7 +125,7 @@ This example pushes an image to a GAR repository with a specific tag.
 steps:
   - label: ":docker: Build and Push"
     plugins:
-      - docker-image-push#v1.0.0:
+      - docker-image-push#v1.0.1:
           provider: gar
           image: my-app
           tag: "v1.2.3"
@@ -152,6 +169,24 @@ steps:
             auth-method: oidc
 ```
 
+### Push to Artifactory Docker Registry
+
+This example pushes an image to an Artifactory Docker registry.
+
+```yaml
+steps:
+  - label: ":docker: Build and Push"
+    plugins:
+      - docker-image-push#v1.0.1:
+          provider: artifactory
+          image: my-app
+          tag: "v1.2.3"
+          artifactory:
+            registry-url: myjfroginstance.jfrog.io
+            username: me@example.com
+            identity-token: $ARTIFACTORY_IDENTITY_TOKEN
+```
+
 ### Verbose Mode
 
 Enable verbose mode for detailed debug output.
@@ -160,7 +195,7 @@ Enable verbose mode for detailed debug output.
 steps:
   - label: ":docker: Build and Push (Debug)"
     plugins:
-      - docker-image-push#v1.0.0:
+      - docker-image-push#v1.0.1:
           provider: ecr
           image: my-app
           verbose: true

hooks/environment

@@ -2,7 +2,7 @@
 set -euo pipefail
 
 # Enable debug mode if requested
-if [[ "${BUILDKITE_PLUGIN_DOCKER_IMAGE_PUSH_VERBOSE:-false}" =~ (true|on|1) ]] ; then
+if [[ "${BUILDKITE_PLUGIN_DOCKER_IMAGE_PUSH_VERBOSE:-false}" =~ (true|on|1) ]]; then
   echo "~~~ :hammer: Enabling debug mode"
   set -x
 fi
@@ -32,13 +32,12 @@ main() {
   log_info "Image - $image"
 
   case "$provider" in
-    ecr|gar|buildkite)
-      ;;
-    *)
-      log_error "unsupported provider '$provider'"
-      log_info "Supported providers: ecr, gar, buildkite"
-      exit 1
-      ;;
+  ecr | gar | buildkite | artifactory) ;;
+  *)
+    log_error "unsupported provider '$provider'"
+    log_info "Supported providers: ecr, gar, buildkite, artifactory"
+    exit 1
+    ;;
   esac
 
   # Authenticate with registry

hooks/post-command

@@ -2,7 +2,7 @@
 set -euo pipefail
 
 # Enable debug mode if requested
-if [[ "${BUILDKITE_PLUGIN_DOCKER_IMAGE_PUSH_VERBOSE:-false}" =~ (true|on|1) ]] ; then
+if [[ "${BUILDKITE_PLUGIN_DOCKER_IMAGE_PUSH_VERBOSE:-false}" =~ (true|on|1) ]]; then
   echo "~~~ :hammer: Enabling debug mode"
   set -x
 fi

lib/plugin.bash

@@ -11,22 +11,27 @@ source "$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)/providers/ecr.bash"
 source "$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)/providers/gar.bash"
 # shellcheck source=lib/providers/buildkite.bash
 source "$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)/providers/buildkite.bash"
+# shellcheck source=lib/providers/artifactory.bash
+source "$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)/providers/artifactory.bash"
 
 setup_provider_environment() {
   local provider="$1"
 
   case "$provider" in
-    ecr)
-      setup_ecr_environment
-      ;;
-    gar)
-      setup_gar_environment
-      ;;
-    buildkite)
-      setup_buildkite_environment
-      ;;
-    *)
-      unknown_provider "$provider"
-      ;;
+  ecr)
+    setup_ecr_environment
+    ;;
+  gar)
+    setup_gar_environment
+    ;;
+  buildkite)
+    setup_buildkite_environment
+    ;;
+  artifactory)
+    setup_artifactory_environment
+    ;;
+  *)
+    unknown_provider "$provider"
+    ;;
   esac
 }

lib/providers/artifactory.bash

@@ -0,0 +1,59 @@
+#!/bin/bash
+
+setup_artifactory_environment() {
+  local registry_url_raw="${BUILDKITE_PLUGIN_DOCKER_IMAGE_PUSH_ARTIFACTORY_REGISTRY_URL:-}"
+  local username_raw="${BUILDKITE_PLUGIN_DOCKER_IMAGE_PUSH_ARTIFACTORY_USERNAME:-}"
+  local identity_token_raw="${BUILDKITE_PLUGIN_DOCKER_IMAGE_PUSH_ARTIFACTORY_IDENTITY_TOKEN:-}"
+
+  # Validate required parameters
+  if [[ -z "$registry_url_raw" ]]; then
+    log_error "Artifactory registry URL is required"
+    log_info "Set it via the 'registry-url' parameter in artifactory configuration"
+    exit 1
+  fi
+
+  if [[ -z "$username_raw" ]]; then
+    log_error "Artifactory username is required"
+    log_info "Set it via the 'username' parameter in artifactory configuration"
+    exit 1
+  fi
+
+  if [[ -z "$identity_token_raw" ]]; then
+    log_error "Artifactory identity token is required"
+    log_info "Set it via the 'identity-token' parameter in artifactory configuration"
+    exit 1
+  fi
+
+  # Process environment variable references in parameters
+  local registry_url
+  registry_url=$(expand_env_var "$registry_url_raw" "registry-url")
+
+  local username
+  username=$(expand_env_var "$username_raw" "username")
+
+  local identity_token
+  identity_token=$(expand_env_var "$identity_token_raw" "identity-token")
+
+  # Clean up registry URL (remove protocol if present)
+  registry_url="${registry_url#https://}"
+  registry_url="${registry_url#http://}"
+
+  export DOCKER_PUSH_ARTIFACTORY_REGISTRY_URL="$registry_url"
+
+  log_info "Artifactory registry URL: $registry_url"
+  log_info "Artifactory username: $username"
+
+  log_info "Authenticating with Artifactory Docker registry..."
+  if docker login "$registry_url" -u "$username" -p "$identity_token"; then
+    log_success "Successfully authenticated with Artifactory"
+  else
+    log_error "Failed to authenticate with Artifactory"
+    log_info "Verify your username and identity token are correct"
+    log_info "Ensure the registry URL is accessible and supports Docker registry API"
+    exit 1
+  fi
+
+  local repository="${BUILDKITE_PLUGIN_DOCKER_IMAGE_PUSH_ARTIFACTORY_REPOSITORY:-${BUILDKITE_PLUGIN_DOCKER_IMAGE_PUSH_IMAGE}}"
+  local tag="${BUILDKITE_PLUGIN_DOCKER_IMAGE_PUSH_TAG:-latest}"
+  export DOCKER_PUSH_REMOTE_IMAGE="${registry_url}/${repository}/${BUILDKITE_PLUGIN_DOCKER_IMAGE_PUSH_IMAGE}:${tag}"
+}

lib/providers/buildkite.bash

@@ -31,17 +31,17 @@ setup_buildkite_environment() {
 
   # Authenticate with registry based on method
   case "$auth_method" in
-    api-token)
-      authenticate_with_api_token "$registry_url"
-      ;;
-    oidc)
-      authenticate_with_oidc "$registry_url"
-      ;;
-    *)
-      log_error "Unsupported authentication method: $auth_method"
-      log_info "Supported methods: api-token, oidc"
-      exit 1
-      ;;
+  api-token)
+    authenticate_with_api_token "$registry_url"
+    ;;
+  oidc)
+    authenticate_with_oidc "$registry_url"
+    ;;
+  *)
+    log_error "Unsupported authentication method: $auth_method"
+    log_info "Supported methods: api-token, oidc"
+    exit 1
+    ;;
   esac
 
   local tag="${BUILDKITE_PLUGIN_DOCKER_IMAGE_PUSH_TAG:-latest}"
@@ -51,18 +51,18 @@ setup_buildkite_environment() {
 authenticate_with_api_token() {
   local registry_url="$1"
   local api_token_raw="${BUILDKITE_PLUGIN_DOCKER_IMAGE_PUSH_BUILDKITE_API_TOKEN:-}"
-  
+
   local api_token
   # Restrict environment variable expansion to safe, allow listed variables only
   # shellcheck disable=SC2016
   case "${api_token_raw}" in
-    '$CONTAINER_PACKAGE_REGISTRY_TOKEN'|'$BUILDKITE_API_TOKEN'|'$BUILDKITE_PLUGIN_'*)
-      local var_name="${api_token_raw#$}"
-      api_token="${!var_name}"
-      ;;
-    *)
-      api_token="${api_token_raw}"
-      ;;
+  '$CONTAINER_PACKAGE_REGISTRY_TOKEN' | '$BUILDKITE_API_TOKEN' | '$BUILDKITE_PLUGIN_'*)
+    local var_name="${api_token_raw#$}"
+    api_token="${!var_name}"
+    ;;
+  *)
+    api_token="${api_token_raw}"
+    ;;
   esac
 
   # Fallback to environment variable for backward compatibility
@@ -90,7 +90,7 @@ authenticate_with_api_token() {
 authenticate_with_oidc() {
   local registry_url="$1"
   local audience="https://${registry_url}"
-  
+
   log_info "Requesting OIDC token for audience: $audience"
   log_info "Authenticating with Buildkite Packages using OIDC..."
 
@@ -101,4 +101,4 @@ authenticate_with_oidc() {
     log_info "Verify your pipeline has access to the registry and meets OIDC policy requirements"
     exit 1
   fi
-}
+}

lib/providers/ecr.bash

@@ -44,6 +44,6 @@ setup_ecr_environment() {
 
   log_success "Successfully authenticated with ECR"
 
-    local tag="${BUILDKITE_PLUGIN_DOCKER_IMAGE_PUSH_TAG:-latest}"
+  local tag="${BUILDKITE_PLUGIN_DOCKER_IMAGE_PUSH_TAG:-latest}"
   export DOCKER_PUSH_REMOTE_IMAGE="${registry_url}/${BUILDKITE_PLUGIN_DOCKER_IMAGE_PUSH_IMAGE}:${tag}"
 }

lib/providers/gar.bash

@@ -41,5 +41,3 @@ setup_gar_environment() {
 
   export DOCKER_PUSH_REMOTE_IMAGE="${registry_host}/${project}/${repository}/${BUILDKITE_PLUGIN_DOCKER_IMAGE_PUSH_IMAGE}:${tag}"
 }
-
-

lib/shared.bash

@@ -20,6 +20,37 @@ log_error() {
   echo "[ERROR]: $*" >&2
 }
 
+# Expand environment variables from plugin configuration values
+# Usage: expand_env_var "raw_value" "parameter_name"
+# Returns: expanded value or exits with error if variable is missing/empty
+expand_env_var() {
+  local raw_value="$1"
+  local param_name="$2"
+  local result
+
+  # shellcheck disable=SC2016
+  case "${raw_value}" in
+  '$'*)
+    local var_name="${raw_value#$}"
+    if [[ -v "${var_name}" ]]; then
+      result="${!var_name}"
+      if [[ -z "$result" ]]; then
+        log_error "Environment variable '${var_name}' referenced by ${param_name} parameter is empty or not set"
+        exit 1
+      fi
+    else
+      log_error "Environment variable '${var_name}' referenced by ${param_name} parameter is empty or not set"
+      exit 1
+    fi
+    ;;
+  *)
+    result="${raw_value}"
+    ;;
+  esac
+
+  echo "$result"
+}
+
 command_exists() {
   command -v "$1" >/dev/null 2>&1
 }
@@ -37,20 +68,20 @@ check_dependencies() {
   fi
 
   case "${BUILDKITE_PLUGIN_DOCKER_IMAGE_PUSH_PROVIDER}" in
-    ecr)
-      if ! command_exists aws; then
-        missing_deps+=("aws")
-      fi
-      ;;
-    gar)
-      if ! command_exists gcloud; then
-        missing_deps+=("gcloud")
-      fi
-      ;;
-    buildkite)
-      # No additional CLI dependencies required for Buildkite Packages
-      # buildkite-agent is always available in Buildkite pipeline jobs
-      ;;
+  ecr)
+    if ! command_exists aws; then
+      missing_deps+=("aws")
+    fi
+    ;;
+  gar)
+    if ! command_exists gcloud; then
+      missing_deps+=("gcloud")
+    fi
+    ;;
+  buildkite)
+    # No additional CLI dependencies required for Buildkite Packages
+    # buildkite-agent is always available in Buildkite pipeline jobs
+    ;;
   esac
 
   if [[ ${#missing_deps[@]} -gt 0 ]]; then
@@ -60,8 +91,6 @@ check_dependencies() {
   fi
 }
 
-
-
 push_image() {
   local local_image="$1"
   local remote_image="${DOCKER_PUSH_REMOTE_IMAGE:-}"