vivo CICD Artifact Management: Evolution and Implementation Practices

This article introduces how vivo manages artifacts in DevOps CICD practices, explaining the evolution and implementation of artifact management capabilities.

Definition: In a broad sense, artifacts refer to various products generated during software development, including code, documentation, reports, and test results. In a narrow sense, they refer to final products like compiled artifacts, packaged artifacts, and images. An artifact repository is a central warehouse for managing software artifacts, providing storage, version control, security scanning, dependency analysis, and other capabilities.

Evolution Stages: vivo CICD artifact management has undergone four stages: 1) Manual Management - manual build, upload, and deployment with high error rates; 2) Script Management - using Jenkins for automated build, storing artifacts in file servers, deploying via shell scripts; 3) Platform Management 1.0 - self-developed CICD platform based on Jenkins and Spinnaker with automated build, test, and deployment but limited artifact management; 4) Platform Management 2.0 - comprehensive artifact management including version control, storage, promotion, and security management.

Key Capabilities: Multi-type artifact support (Generic, Maven, NPM, PyPI, Docker, Helm), unified artifact management, artifact traceability, security scanning, reduced operations cost, and high-speed distribution across data centers.

Core Functions: Metadata management, unified storage, artifact generation, artifact promotion (graduation between environments), artifact deployment (three methods: build-deploy one-click, select from repository, work order deployment), security scanning (source code, dependencies, files, images), artifact lifecycle/aging management (auto-cleanup with retention policies), and access control (SSO authentication, project isolation, granular permissions).

Security Scanning: Full-process scanning from source code to build to artifact to deployment, component access control rules, and dependency forward/backward traceability.