GitHub Universe 2026: Gold Sponsor
Secure every GitHub Build with Cloudsmith
GitHub and Cloudsmith help teams build and deliver software securely. Connect GitHub to Cloudsmith to automatically publish build artifacts, enforce security policies, scan for vulnerabilities, and distribute trusted packages through a streamlined CI/CD workflow.
Better Together
GitHub is where your source code is stored, reviewed, and built. Cloudsmith is where the artifacts those builds produce are secured, governed, and distributed - often back into GitHub workflows.
Both platforms dance in tandem to secure your supply-chain, with GitHub securing the inner loop: your source code, and Cloudsmith securing the outer loop: the artifacts.
Github Actions
Publish and govern every build output
Add the official Cloudsmith CLI Action to a GitHub Action workflow. Push built artifacts to a secure, policy-enforced Cloudsmith repository in a single step.
- All 30+ Cloudsmith formats
- Automatic security scans and license checks
- OIDC Authentication
Github secret scanning
Keep leaked credentials from becoming a crisis
Cloudsmith is a GitHub secret scanning partner. GitHub scans all source code repositories for credential patterns at commit time; if a Cloudsmith API key is detected, GitHub automatically notifies Cloudsmith of the key, its source, and its location.
- Cloudsmith API Keys detection
- Immediate action by revoking compromised credentials
- Prevents unauthorised access
Dependabot
Manage dependency updates safely
Dependabot will detect new versions of a dependency and automatically raise a version upgrade pull request. With Cloudsmith cooldown and quarantine policies, a brand-new dependency version is held until it has cleared those restrictions — and only then does Dependabot open the PR.
- Automated dependency-updates
- Control the workflow with Cloudsmith
- OIDC Authentication
Github releases
Treat GitHub-hosted assets as managed dependencies
Cloudsmith can proxy and cache binaries, scripts, and other files from GitHub Releases, moving them to a governed part of your internal supply chain rather than an external dependency. Artifacts are always available from the Cloudsmith cache even if the source repository is removed, goes private, or has an outage.
- Cache any public artifact dependencies
- Apply policies inline with your organization
- Central source of truth for all artifacts