---
title: "Buildkite and Cloudsmith: Artifact Management for CI/CD Pipelines"
description: "Connect Buildkite with Cloudsmith to publish, store, and distribute packages from your pipelines. Secure authentication, multi-format support, and global delivery included."
canonical_url: "https://cloudsmith.com/product/integrations/buildkite"
last_updated: "2026-05-07T09:18:39Z"
---
# Buildkite and Cloudsmith: Artifact Management for CI/CD Pipelines

## Publish artifacts from **Buildkite** to Cloudsmith

Cloudsmith gives your Buildkite pipelines a secure, fully managed home for every artifact they produce. Authenticate using API keys or entitlement tokens, push packages in any supported format via the Cloudsmith CLI, and distribute them globally through Cloudsmith's CDN-backed delivery network.

Product / Integrations

## Buildkite Integration

Cloudsmith gives your Buildkite pipelines a secure, fully managed home for every artifact they produce. Authenticate using API keys or entitlement tokens, push packages in any supported format via the Cloudsmith CLI, and distribute them globally through Cloudsmith's CDN-backed delivery network.

## How we support **Buildkite**

Cloudsmith integrates with Buildkite so every build step that produces an artifact has a secure, managed destination. Push packages, enforce access controls, and distribute to your teams without extra tooling.

[Read our Buildkite documentation](https://docs.cloudsmith.com/integrations/integrating-with-buildkite)

### Push any package format

Use the Cloudsmith CLI inside a Buildkite pipeline step to publish packages in 30+ formats including Docker, npm, Maven, Python, Debian, RPM, Helm, and more.

### Secure pipeline authentication

Store your Cloudsmith API key as a Buildkite secret and inject it as CLOUDSMITH_API_KEY. Use entitlement tokens for read access to give your agents least-privilege credentials.

### Service accounts for CI

Create a dedicated Cloudsmith service account for your Buildkite organisation so pipeline credentials are isolated from personal accounts and can be rotated independently.

### Global artifact delivery

Artifacts published from Buildkite are served through Cloudsmith's CDN-backed Package Delivery Network, giving agents and downstream consumers fast, low-latency access worldwide.

### Policy and compliance controls

Apply OPA Rego policies to packages the moment they land in Cloudsmith. Quarantine, deny, or alert on artifacts that violate your security or licensing rules before they reach production.

## Why teams integrate Cloudsmith with **Buildkite**

Without a dedicated artifact store, Buildkite pipelines scatter packages across ad-hoc storage and CI-native caches. Cloudsmith gives every artifact a governed, permanent home.

| Without Cloudsmith | With Cloudsmith |

| --- | --- |

| Artifacts are stored in temporary CI caches or custom S3 buckets with no access controls, making it hard to audit who pulled what and when. | Every package pushed from Buildkite lands in a versioned, access-controlled Cloudsmith repository with a full audit trail of uploads, downloads, and policy evaluations. |

| Pipeline credentials are long-lived API keys shared across teams and pasted into multiple Buildkite secrets stores, creating a large blast radius if leaked. | Scoped entitlement tokens and service accounts limit each pipeline to exactly the repositories it needs, and can be rotated or revoked without touching other pipelines. |

| Downstream agents and deployment jobs are slow to start because they pull large artifacts from geographically distant or throttled storage endpoints. | Cloudsmith's global PDN with 600+ edge points of presence ensures agents anywhere in the world pull artifacts with minimal latency, keeping pipeline wait times short. |

## Frequently asked questions

### How do I authenticate the Cloudsmith CLI in a Buildkite pipeline?

Store your Cloudsmith API key as a secret in Buildkite and inject it as the CLOUDSMITH_API_KEY environment variable in your pipeline step. The Cloudsmith CLI automatically picks up this variable. For read-only access by agents, use entitlement tokens instead for tighter least-privilege control.

### Which package formats can I push from Buildkite to Cloudsmith?

Cloudsmith supports 30+ formats including Docker, npm, Maven, Python (PyPI), Debian, RPM, Helm, NuGet, Cargo, RubyGems, Conda, and many more. You push using the cloudsmith push command with a format-specific subcommand.

### Should I use an API key or an entitlement token for my Buildkite agents?

Use an API key associated with a dedicated service account for push operations, as entitlement tokens are read-only. For pipeline steps that only download artifacts, entitlement tokens are preferred because they can be scoped to specific repositories and rotated frequently without affecting push credentials.

### How do I install the Cloudsmith CLI in a Buildkite build step?

Install the CLI in a pipeline step using pip install cloudsmith-cli, or use a pre-built Docker image that already includes the CLI to avoid reinstalling it on every build. The CLI is available on PyPI and works on Linux, macOS, and Windows agents.

### Can I use Cloudsmith to pull dependencies during a Buildkite build?

Yes. Configure your package manager to point at your Cloudsmith repository endpoint and authenticate with an entitlement token. This works for npm, pip, Maven, NuGet, Helm, and all other supported formats, so your agents can resolve internal packages without hitting public registries.

### How does Cloudsmith handle package versioning from CI builds?

Cloudsmith stores every published version immutably by default. You control retention policies and can configure repositories to deny overwrites, ensuring that a build artifact tied to a specific commit or tag is never silently replaced.

### What security scanning is available for artifacts pushed from Buildkite?

Cloudsmith runs vulnerability scanning on uploaded packages automatically. You can also apply OPA Rego policies that evaluate artifacts on upload and trigger actions such as quarantine, denial, or Slack notifications, before the package is ever available for download.

### Can I promote artifacts through pipeline stages using Cloudsmith?

Yes. You can mirror your Buildkite pipeline stages in Cloudsmith by publishing to separate repositories for development, staging, and production. Use the Cloudsmith CLI or API to copy or promote a package between repositories without re-uploading, preserving the artifact's integrity and provenance.

### Does Cloudsmith support multi-format repositories used by Buildkite?

Cloudsmith repositories support multiple package formats, so a single repository can hold Docker images, npm packages, Maven artifacts, and more alongside each other. You can push different artifact types from different Buildkite steps into the same repository, keeping your organisation structure clean and your pipeline configuration simple.

### Where can I find the official Cloudsmith documentation for Buildkite?

The full setup guide, including CLI installation, authentication, and example push commands for all supported formats, is available at docs.cloudsmith.com under the Integrations section for Buildkite.
