CI Server Authentication

Major orgs

To automate deployments from major branches to their related org, you need to configure the secure authentication from CI server to a SF connected app.

Note: You need openssl installed on your computer (available in Git bash)

• Remain in your initialization branch cicd, or a sub branch of your lowest level major branch (usually integration)
• For each major branch to link to an org, run the sfdx-hardis command Configuration -> (sf hardis:project:configure:auth)

For example, run the command for integration, uat, preprod and production major branches.

If messages ask you to run twice the same command, it's normal, it's for technical reasons :)

If you have errors in your apex tests classes, you may not be able to configure the app for Production org. You will need do create the connected app manually by following the instructions in yellow in the error message. You can do it later, after having succeeded to merge the first merge request in lower major branch (usually integration)

Under the hood

This command will create/update:

• .sfdx-hardis.yml configuration file (repo)
• Self signed certificate (encrypted in repo as .key)
• Connected App (uploaded to org via metadata api)
• CI environment variables (manually set in CI/CD server UIs)

At runtime, we use OAuth 2.0 JSON Web Tokens (JWT) bearer flow with the client Id stored in secured CI/CD Variable + the Certificate decrypted on the fly using token stored in secured CI/CD variable.

See how to set CI variables on different Git providers:

• Gitlab tutorial
• Azure tutorial
• GitHub tutorial
• BitBucket tutorial
• Jenkins tutorial

Dev Hub

If you are using scratch orgs, you need to also configure authentication for the Dev Hub (even if you already configured authentication for production org)

To do that, run the following command

sf hardis:project:configure:auth --devhub