We’ve released v2.0.0 of the Cloudsmith CircleCI Orb, bringing it to full feature parity with our GitHub Actions and Azure DevOps integrations. This update focuses on security through OIDC, improved reliability, and greater flexibility for your CI/CD workflows.
OIDC authentication: Authenticate using OpenID Connect (OIDC) with the new authenticate-with-oidc step. This allows you to exchange short-lived tokens at runtime, eliminating the need to store long-lived API keys in CircleCI environment variables.
Zipapp-based CLI install: We’ve switched the default installation method from pip to a self-contained zipapp downloaded directly from dl.cloudsmith.io. This removes dependencies on the local Python environment and ensures a faster, more consistent setup.
Full CLI access: You are no longer limited to a subset of commands via an orb wrapper. The orb now installs the Cloudsmith CLI directly, allowing you to invoke any CLI command within your run steps.
Updated default executor: We have moved from the deprecated circleci/python:3.7.4 image to the modern cimg/python:3.10 image.
This is a major version release. Please review the following before upgrading
publish command deprecated: The publish command is now deprecated. We recommend using install-cli followed by authenticate-with-oidc (or ensure-api-key), then calling the Cloudsmith CLI directly.pip-install: true.cimg/python:3.10. Jobs relying on the legacy Python 3.7.4 image may need to explicitly pin the tag parameter.You can find full usage examples and parameter references on the CircleCI Orb Registry, or view the source code and contribute via GitHub.
We’ve added support for the Wolfi ecosystem, alongside the ability to proxy and cache both Alpine and Wolfi packages from their public mirrors. For teams installing packages via APK, this provides a simpler, more reliable way to manage dependencies by using Cloudsmith as a single source for both public and private packages…
We’ve released a major update to the Cloudsmith VS Code extension, transforming it from a repository browser into a proactive part of your software supply chain security. By integrating security remediation, automated Infrastructure as Code (IaC) generation, and dependency health tracking directly into the IDE, we’ve eliminated the friction between writing code and managing a secure software supply chain…
Cloudsmith has introduced a new vulnerabilities command to the CLI, allowing users to retrieve package security scan results through a single command…
Upstream Trust prevents attackers from hijacking your internal package names in public repositories. By defining explicit trust boundaries, you ensure that once an artifact is identified as internal, it cannot be replaced by an untrusted externally-sourced version…
Policy as code is a powerful way to scale security and compliance across modern DevOps pipelines, but writing Rego from scratch is a high barrier to entry. We’ve introduced Policy Templates to provide functional starting points, allowing you to deploy validated security guardrails without coding from scratch…
Following our recent update to include cache data in Client Log Exports, we have now added the ability to filter by Edge Response directly within the Client Logs UI…