github-workflows-dojo360-publish
Build and publish artifacts to SaaS Artifactory using OIDC (images, packages), with optional promotion to global repositories
Publish Workflow Skill
Overview
This skill covers common patterns for publishing build artifacts to Optum SaaS Artifactory using GitHub Actions.
Dojo360 includes a publish.yml workflow. For new implementations, the recommended approach is to use EPL actions (Artifactory OIDC + build/scan/publish actions) and/or the UHG reusable CI workflows that already include scanning and publishing options.
Workflow Reference
Legacy (Dojo360)
Repository: dojo360/pipelines-workflows
Workflow: .github/workflows/publish.yml
Docs: https://github.com/dojo360/pipelines-workflows/tree/main/web/publish/index.md
Recommended (Optum / UHG)
- Artifactory OIDC bootstrap:
uhg-pipelines/epl-jf/configure-saas-connection@latest - Promotion:
uhg-pipelines/epl-jf/promote-artifact@latest - Language build/scan/publish (example):
optum-eeps/epl-actions/node-build-scan@v1 - Docker build/publish (example reusable workflow):
uhg-pipelines/ci-workflows/.github/workflows/docker-ci.yml@v2
Key Features
- OIDC-based authentication to SaaS Artifactory (no long-lived tokens in GitHub Secrets)
- Publish packages/images to project repositories (non-prod or prod depending on repo policy)
- Optional promotion from project repos to global repos
- Works with multiple artifact types (npm, docker, etc.)
Prerequisites
- You have a valid
jfrog-project-key - Your repo is allowed to publish the artifact type (npm, docker, etc.)
- For Docker builds: base images must be Optum golden images (no public Docker Hub base images)
Required Permissions
Most publish flows need at least:
permissions: id-token: write(OIDC)permissions: contents: read
Some orgs also require security-events: write / checks: write for scanners.
Templates
See ready-to-copy examples in .github/skills/github-workflows-dojo360-publish/templates/:
publish-npm-package.ymlpublish-docker-image.ymlpromote-npm-artifact.yml
Notes / Gotchas
- SaaS Artifactory endpoints:
- Push:
centraluhg.jfrog.io - Pull:
edgeinternal1uhg.optum.com
- Push:
- Avoid embedding secrets in workflow YAML; use OIDC (
configure-saas-connection) wherever possible.
Related Assets
github-workflows-dojo360-azure-infrastructure
Deploy Azure infrastructure using Terraform with PCAM vaulted access and native Azure authentication through Dojo360 Azure Infrastructure workflow
Owner: pcorazao
github-workflows-dojo360-container-cd
Deploy containerized applications to AWS ECS/Azure ACS using Dojo360 Container CD workflow with blue-green and rolling update strategies
Owner: pcorazao
github-workflows-dojo360-container-promotion
Multi-environment container deployment promotion through prescribed deployment paths with automated approval gates and E2E testing
Owner: pcorazao
github-workflows-dojo360-database
Automate database schema updates using Liquibase via the Dojo360 database workflow (with rollback and validation patterns)
Owner: pcorazao
github-workflows-dojo360-database-promotion
Promote Liquibase database changes across environments (dev→qa→cert→prod) with deployment-path validation and approval gates
Owner: pcorazao
github-workflows-dojo360-dockerfile-ci
Build and scan container images from a Dockerfile using Optum golden images and the recommended UHG reusable workflow
Owner: pcorazao

