You can now proxy and cache binaries, scripts, and other assets directly from GitHub Releases into Cloudsmith. This integration allows you to treat GitHub-hosted assets as a managed part of your internal software supply chain, rather than an external dependency.

Why this matters

• High availability: Cloudsmith caches assets upon the first request. Your binaries remain available even if the source GitHub repository is deleted, is made private, or suffers an outage.
• Rate limit management: Serving repeated requests from the Cloudsmith cache preserves your GitHub API quota and prevents CI/CD failures due to "403 Forbidden" errors from GitHub.
• Governance & visibility: Centralizing access ensures teams download only approved, trusted versions of third-party assets via a single internal URL.

How it works

Cloudsmith utilizes the GitHub REST API to retrieve structured release data and assets, ensuring reliability without relying on complex HTML parsing.

When a file is requested through Cloudsmith, the platform will:

1. Proxy the call to the corresponding GitHub Release API.
2. Retrieve the file from GitHub.
3. Serve and cache the file for all future requests.

Note: Because GitHub organizes releases by namespace (user/org) and repository, you will typically configure a separate Cloudsmith upstream for each GitHub repository.

Rate limits and authentication

To ensure a reliable experience and prevent performance bottlenecks, upstreams configured to GitHub Releases require an authentication token. GitHub limits unauthenticated API requests to just 60 per hour per IP address. By providing a GitHub token, you leverage GitHub’s authenticated rate limit of 5,000 requests per hour, ensuring your pipelines remain stable and performant.

For more details, see the official GitHub REST API Rate Limits documentation.

Get started

To configure an upstream for GitHub Releases, follow these steps:

1. Navigate to your repository and select Upstreams.
2. Click Configure new upstream and select the Generic source type.
3. Enter your GitHub Releases URL and your authentication token.

For more details, please review our documentation.