Integrations/Bitbucket Pipelines

Publish artifacts to Cloudsmith directly from Bitbucket Pipelines

Cloudsmith provides an officially maintained Bitbucket pipe that drops straight into your existing pipeline YAML. Authenticate once with an API key, declare your format and repository, and every tagged build pushes your artifacts to Cloudsmith automatically - no custom scripts, no manual uploads.

How we support Bitbucket Pipelines

Cloudsmith gives Bitbucket teams a secure, managed artifact registry that integrates natively into your pipeline YAML - so every build produces a traceable, policy-governed package.
    Official Cloudsmith Publish pipe
    The Cloudsmith Publish pipe is part of Bitbucket's collection of officially maintained pipes. Add it to your bitbucket-pipelines.yml with a single block and start publishing to Cloudsmith immediately.
    Multi-format artifact publishing
    Publish Python, npm, Docker, Maven, Debian, NuGet, and 30+ other formats from your Bitbucket pipeline. One pipe, one repository, all your artifact types.
    Secure API key authentication
    Store your Cloudsmith API key as a secure Bitbucket pipeline variable. It stays out of logs and is injected at runtime, keeping credentials safe across all your repositories.
    Full package traceability
    Every package pushed from Bitbucket Pipelines is logged in Cloudsmith's audit trail. You get a complete provenance record linking each artifact back to the pipeline run that produced it.
    Policy enforcement on every publish
    Cloudsmith applies vulnerability scanning, license checks, and OPA Rego policies the moment a package lands. Pipelines that push non-compliant artifacts are caught before the package reaches downstream consumers.

Why teams integrate Cloudsmith with Bitbucket Pipelines

Without a dedicated artifact registry, Bitbucket teams lose visibility, accumulate security debt, and burn build minutes on fragile custom upload scripts. Cloudsmith closes every one of those gaps.
Without CloudsmithTeams write and maintain custom shell scripts to push artifacts to S3 buckets or ad-hoc registries. These scripts break silently on format changes and are never documented, creating fragile pipelines that block releases.
With CloudsmithThe official Cloudsmith pipe replaces all custom upload logic with a single declarative block. It is maintained by the Cloudsmith team, versioned, and works across every supported format without any custom scripting.
Without CloudsmithBitbucket build minutes are wasted re-downloading public dependencies or re-uploading artifacts because there is no central, trusted store. Teams have no visibility into which artifact version is running in which environment.
With CloudsmithCloudsmith stores every published artifact with full metadata and an audit trail. You can see exactly which pipeline run produced each package and trace it through development, staging, and production without extra tooling.
Without CloudsmithAPI keys for artifact registries are often stored as plaintext in pipeline YAML files or shared across repositories, creating a broad attack surface with no way to rotate or scope credentials quickly.
With CloudsmithCloudsmith API keys are stored as secure Bitbucket pipeline variables and never appear in logs. Service accounts let you scope access per repository, and entitlement tokens provide fine-grained download control for downstream consumers.

Frequently asked questions

  1. Add the pipe as a step in your bitbucket-pipelines.yml file using the cloudsmith-io/publish identifier. You specify your Cloudsmith repository, API key variable, package format, and package path. The pipe is available by default in all Bitbucket workspaces with no installation required.

  2. Cloudsmith supports over 30 package formats including Python, npm, Docker, Maven, Debian, RPM, NuGet, Helm, Cargo, and more. You specify the format using the PACKAGE_FORMAT variable in the pipe configuration, and Cloudsmith handles indexing and serving.

  3. Store your Cloudsmith API key as a secured repository or workspace variable named CLOUDSMITH_API_KEY in Bitbucket. Secured variables are masked in logs and injected at runtime. For tighter scoping, create a Cloudsmith service account with only the permissions your pipeline needs.

  4. Yes. The Cloudsmith Publish pipe is part of Bitbucket's officially maintained pipes collection. It is maintained by the Cloudsmith team and updated as new features and format support are added to the platform.

  5. Yes. If you prefer more control, install the Cloudsmith CLI in your pipeline step and use cloudsmith push commands directly. This approach works for all formats and gives you access to advanced options like tagging, retention overrides, and bulk uploads.

  6. Yes. Every package uploaded to Cloudsmith is automatically scanned for vulnerabilities and evaluated against your active policies. You can configure Cloudsmith to quarantine or block packages that fail checks before they become available to downstream consumers.

  7. Yes. Cloudsmith repositories are independent of your Bitbucket workspace structure. You can publish from any number of Bitbucket repositories to the same Cloudsmith repository, or route artifacts to separate repositories based on team, environment, or format.

  8. Cloudsmith records metadata for every uploaded package including the upload source, timestamp, and user or service account that performed the action. You can query this via the Cloudsmith UI, API, or audit logs to build a full provenance trail from pipeline run to deployed artifact.

  9. Yes. You can mirror Bitbucket's environment stages in Cloudsmith by using separate repositories for development, staging, and production. Packages can be promoted between Cloudsmith repositories without re-uploading, preserving artifact integrity and keeping bandwidth costs low.

  10. Full setup instructions, YAML examples, and configuration options are available at docs.cloudsmith.com under the Bitbucket Pipelines integration guide. The official pipe README on Bitbucket also includes variable references and worked examples for common formats.

Integrations

Discover more Cloudsmith Integrations