Integrations/Buildkite

Publish artifacts from Buildkite to Cloudsmith

Cloudsmith gives your Buildkite pipelines a secure, fully managed home for every artifact they produce. Authenticate using API keys or entitlement tokens, push packages in any supported format via the Cloudsmith CLI, and distribute them globally through Cloudsmith's CDN-backed delivery network.

How we support Buildkite

Cloudsmith integrates with Buildkite so every build step that produces an artifact has a secure, managed destination. Push packages, enforce access controls, and distribute to your teams without extra tooling.
    Push any package format
    Use the Cloudsmith CLI inside a Buildkite pipeline step to publish packages in 30+ formats including Docker, npm, Maven, Python, Debian, RPM, Helm, and more.
    Secure pipeline authentication
    Store your Cloudsmith API key as a Buildkite secret and inject it as CLOUDSMITH_API_KEY. Use entitlement tokens for read access to give your agents least-privilege credentials.
    Service accounts for CI
    Create a dedicated Cloudsmith service account for your Buildkite organisation so pipeline credentials are isolated from personal accounts and can be rotated independently.
    Global artifact delivery
    Artifacts published from Buildkite are served through Cloudsmith's CDN-backed Package Delivery Network, giving agents and downstream consumers fast, low-latency access worldwide.
    Policy and compliance controls
    Apply OPA Rego policies to packages the moment they land in Cloudsmith. Quarantine, deny, or alert on artifacts that violate your security or licensing rules before they reach production.

Why teams integrate Cloudsmith with Buildkite

Without a dedicated artifact store, Buildkite pipelines scatter packages across ad-hoc storage and CI-native caches. Cloudsmith gives every artifact a governed, permanent home.
Without CloudsmithArtifacts are stored in temporary CI caches or custom S3 buckets with no access controls, making it hard to audit who pulled what and when.
With CloudsmithEvery package pushed from Buildkite lands in a versioned, access-controlled Cloudsmith repository with a full audit trail of uploads, downloads, and policy evaluations.
Without CloudsmithPipeline credentials are long-lived API keys shared across teams and pasted into multiple Buildkite secrets stores, creating a large blast radius if leaked.
With CloudsmithScoped entitlement tokens and service accounts limit each pipeline to exactly the repositories it needs, and can be rotated or revoked without touching other pipelines.
Without CloudsmithDownstream agents and deployment jobs are slow to start because they pull large artifacts from geographically distant or throttled storage endpoints.
With CloudsmithCloudsmith's global PDN with 600+ edge points of presence ensures agents anywhere in the world pull artifacts with minimal latency, keeping pipeline wait times short.

Frequently asked questions

  1. Store your Cloudsmith API key as a secret in Buildkite and inject it as the CLOUDSMITH_API_KEY environment variable in your pipeline step. The Cloudsmith CLI automatically picks up this variable. For read-only access by agents, use entitlement tokens instead for tighter least-privilege control.

  2. Cloudsmith supports 30+ formats including Docker, npm, Maven, Python (PyPI), Debian, RPM, Helm, NuGet, Cargo, RubyGems, Conda, and many more. You push using the cloudsmith push command with a format-specific subcommand.

  3. Use an API key associated with a dedicated service account for push operations, as entitlement tokens are read-only. For pipeline steps that only download artifacts, entitlement tokens are preferred because they can be scoped to specific repositories and rotated frequently without affecting push credentials.

  4. Install the CLI in a pipeline step using pip install cloudsmith-cli, or use a pre-built Docker image that already includes the CLI to avoid reinstalling it on every build. The CLI is available on PyPI and works on Linux, macOS, and Windows agents.

  5. Yes. Configure your package manager to point at your Cloudsmith repository endpoint and authenticate with an entitlement token. This works for npm, pip, Maven, NuGet, Helm, and all other supported formats, so your agents can resolve internal packages without hitting public registries.

  6. Cloudsmith stores every published version immutably by default. You control retention policies and can configure repositories to deny overwrites, ensuring that a build artifact tied to a specific commit or tag is never silently replaced.

  7. Cloudsmith runs vulnerability scanning on uploaded packages automatically. You can also apply OPA Rego policies that evaluate artifacts on upload and trigger actions such as quarantine, denial, or Slack notifications, before the package is ever available for download.

  8. Yes. You can mirror your Buildkite pipeline stages in Cloudsmith by publishing to separate repositories for development, staging, and production. Use the Cloudsmith CLI or API to copy or promote a package between repositories without re-uploading, preserving the artifact's integrity and provenance.

  9. Cloudsmith repositories support multiple package formats, so a single repository can hold Docker images, npm packages, Maven artifacts, and more alongside each other. You can push different artifact types from different Buildkite steps into the same repository, keeping your organisation structure clean and your pipeline configuration simple.

  10. The full setup guide, including CLI installation, authentication, and example push commands for all supported formats, is available at docs.cloudsmith.com under the Integrations section for Buildkite.

Integrations

Discover more Cloudsmith Integrations