This GitHub Action installs the Cloudsmith CLI and pre-authenticates it using OIDC or API Key. 🚀
Breaking Changes:
- Node.js 24 Required:
@v2requires Node.js 24 as a minimum. If you still rely on Node.js 20, please use@v1and plan for future migration. - OIDC Audience Default Changed: The default OIDC audience has changed from
api://AzureADTokenExchangetohttps://github.com/{org-name}(usingGITHUB_REPOSITORY_OWNER) for improved security. If you're using OIDC with audience claim validation, you may need to update your configuration or explicitly setoidc-audience: 'api://AzureADTokenExchange'to maintain the previous behavior.
⚠️ Notice: If you are running on self-hosted runners, Python version 3.9 or higher is required. Please ensure your runner meets this requirement to avoid any issues. We recommend using setup-python action for installing Python. 🐍
| Input | Description | Required | Default |
|---|---|---|---|
cli-version |
Specific version of the Cloudsmith CLI to install | No | Latest |
api-key |
API Key for Cloudsmith authentication | No | - |
oidc-namespace |
Cloudsmith organisation/namespace for OIDC | No | - |
oidc-service-slug |
Cloudsmith service account slug for OIDC | No | - |
oidc-auth-only |
Only perform OIDC authentication without installing the CLI | No | false |
oidc-auth-retry |
Number of retry attempts for OIDC authentication (0-10), 5 seconds delay between retries | No | 3 |
oidc-audience |
Audience to request when retrieving the GitHub OIDC token. Defaults to https://github.com/{org-name} using GITHUB_REPOSITORY_OWNER. You can override with a custom value like api://AzureADTokenExchange if needed. |
No | https://github.com/{org-name} (dynamic) |
pip-install |
Install the Cloudsmith CLI via pip | No | - |
executable-path |
Path to the Cloudsmith CLI executable | No | GITHUB_WORKSPACE/bin/ |
See CLI configuration documentation for more details.
| Input | Description | Required | Default |
|---|---|---|---|
api-host |
API Host for Cloudsmith | No | - |
api-proxy |
API Proxy for Cloudsmith | No | - |
api-ssl-verify |
Verify SSL certificates for Cloudsmith API | No | - |
api-user-agent |
User Agent for Cloudsmith API | No | - |
Cloudsmith OIDC documentation
uses: cloudsmith-io/cloudsmith-cli-action@v2
with:
oidc-namespace: 'your-oidc-namespace'
oidc-service-slug: 'your-service-account-slug'Personal API Key can be found here. For CI-CD deployments we recommend using Service Accounts.
uses: cloudsmith-io/cloudsmith-cli-action@v2
with:
api-key: 'your-api-key'If you only need to authenticate with Cloudsmith's API without installing the CLI:
uses: cloudsmith-io/cloudsmith-cli-action@v2
with:
oidc-namespace: 'your-oidc-namespace'
oidc-service-slug: 'your-service-account-slug'
oidc-auth-only: 'true'This will:
- Perform OIDC authentication
- Set the OIDC token as
CLOUDSMITH_API_KEYenvironment variable - Skip CLI installation
Full CLI feature list can be found here
For all supported package formats and upload commands please visit our Supported Formats page.
name: Publish Python Package
on:
push:
branches:
- main
permissions:
id-token: write
contents: read
jobs:
publish:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Install Cloudsmith CLI
uses: cloudsmith-io/cloudsmith-cli-action@v2
with:
oidc-namespace: 'your-oidc-namespace'
oidc-service-slug: 'your-service-account-slug'
- name: Push package to Cloudsmith
run: |
cloudsmith push python your-namespace/your-repository dist/*.tar.gzPlease check our CONTRIBUTION doc for more information. 🤝
This project is licensed under the MIT License - see the LICENSE file for details. 📄
If you have any questions or need further assistance, please open an issue on GitHub. We're here to help! Alternatively, you can contact us at support.cloudsmith.com.