Cloudsmith CLI Action v1 is now deprecated. Security-only patches will continue until 31st December 2026, after which v1 reaches end-of-life (EOL).

Migrate to v2 before 31st December 2026 to avoid disruption.

Why this matters

v1 runs on Node.js 20, which reached EOL on 30th April 2026. Continuing to ship a GitHub Action on an unsupported Node.js runtime exposes pipelines to unpatched runtime CVEs, and to GitHub Actions failures due to the deprecation of Node 20 on GitHub Actions runners.

v2 runs on Node.js 24. For more information about Node.js releases, see the Node.js release documentation.

Who this affects

Anyone using cloudsmith-io/cloudsmith-cli-action v1 (or pinned at v1.x.x) in their GitHub Actions workflows. For example:

• Customers automating Cloudsmith pushes/pulls in CI/CD
• Customers using OIDC to authenticate GitHub Actions against Cloudsmith
• Customers on self-hosted runners

Breaking changes and important information

No input or output names have changed in v2. Before migrating to v2, review the following breaking changes:

1. Node.js 24 runtime:
   
   GitHub-hosted runners are unaffected. Self-hosted runners must explicitly provide Node.js 24+.
   
2. OIDC audience default changed:
   
   The default oidc-audience input has been updated to provide organization-specific audience claims.
   • New default: https://github.com/{org-name} (using GITHUB_REPOSITORY_OWNER)
   • Previous default: api://AzureADTokenExchange

If your existing OIDC trust configuration relies on the legacy api:// claim, you must either update your validation logic within Cloudsmith or explicitly set oidc-audience: 'api://AzureADTokenExchange' in your workflow YAML to maintain current behavior.

Migrating to Cloudsmith CLI action v2

To migrate to v2, make the following one-line change in your affected GitHub Action workflows:

- uses: cloudsmith-io/cloudsmith-cli-action@v1

+ uses: cloudsmith-io/cloudsmith-cli-action@v2

If you have any questions or concerns about this change, please contact us.