---
title: "GitHub Actions Integration - Cloudsmith"
description: "Connect GitHub Actions to Cloudsmith to publish packages, authenticate with OIDC, and enforce artifact policies automatically in every CI/CD workflow."
canonical_url: "https://cloudsmith.com/product/integrations/github-actions"
last_updated: "2026-07-09T10:51:03Z"
---
# GitHub Actions Integration - Cloudsmith

## Publish and manage artifacts directly from **GitHub Actions**

GitHub Actions drives your builds. Cloudsmith governs what those builds produce.

Connect Cloudsmith to your GitHub workflows using the official Cloudsmith CLI Action. Teams publish packages to secure, policy-enforced repositories straight from their pipelines, authenticate with OIDC instead of long-lived secrets, and pull dependencies through upstream caching without touching public registries directly.

Every artifact Cloudsmith stores is scanned, governed by policy, and available for distribution worldwide across 600+ edge PoPs.

Product / Integrations

## GitHub Actions Integration

GitHub Actions is a CI/CD platform integrated into GitHub that allows developers to automate their software development workflows and build, test, and deploy code directly from GitHub. The Cloudsmith GitHub Action enables pushing packages to Cloudsmith repositories using the Cloudsmith CLI.

## How we support **GitHub Actions**

Cloudsmith plugs directly into GitHub workflows to give your pipelines a governed, secure destination for every artifact they produce.

[Read our GitHub Actions documentation](https://docs.cloudsmith.com/integrations/integrating-with-github-actions)

### One-step publishing

Use the official cloudsmith-io/cloudsmith-cli-action to install the Cloudsmith CLI and push packages to any Cloudsmith repository in a single workflow step, supporting all 30+ artifact formats.

### OIDC authentication

Authenticate workflows with OIDC instead of stored API keys. Cloudsmith exchanges a GitHub-issued identity token for a short-lived credential, so no secrets need to be rotated or stored in your repository.

### Policy enforcement at publish

Every package pushed from GitHub Actions lands in a Cloudsmith repository where vulnerability scanning, license checks, and OPA Rego policies run automatically before the artifact is made available downstream.

### Upstream caching

Proxy public registries through Cloudsmith so your workflows pull dependencies from a governed cache. Builds stay fast even when upstream registries are slow or unavailable.

### Full audit trail

Every push and pull triggered by a GitHub Actions workflow is recorded in Cloudsmith's client and audit logs, giving you complete provenance from commit to deployed artifact.

## Frequently asked questions

### How do I publish packages from GitHub Actions to Cloudsmith?

Add the cloudsmith-io/cloudsmith-cli-action step to your workflow. It installs the Cloudsmith CLI and authenticates it automatically using OIDC or an API key. After that, run cloudsmith push with your format, namespace, repository, and the path to the built package.

### What is OIDC authentication and why should I use it?

OIDC lets your GitHub Actions workflow prove its identity to Cloudsmith using a short-lived token issued by GitHub, rather than a static API key stored as a secret. This eliminates the risk of long-lived credential exposure and removes the overhead of secret rotation. It is the recommended authentication method for CI/CD pipelines.

### Do I need to set up a service account for OIDC?

Yes. You create a Cloudsmith service account in your workspace, configure an OIDC provider on it with the appropriate GitHub claim mappings, and then reference the service account slug in your workflow. Full setup steps are documented at docs.cloudsmith.com/authentication/openid-connect.

### Which package formats can I push from GitHub Actions?

The Cloudsmith CLI Action supports all formats available in the Cloudsmith CLI, which covers 30+ formats including Docker, npm, PyPI, Maven, NuGet, Helm, Debian, RPM, Cargo, Go, and more. Any format Cloudsmith supports can be published from a GitHub Actions workflow.

### How does Cloudsmith handle vulnerability scanning for packages pushed from GitHub Actions?

Every package pushed to a Cloudsmith repository is automatically scanned for known vulnerabilities using continuously updated security databases. You can configure vulnerability policies to quarantine or block packages that exceed your severity threshold before they are accessible to downstream consumers.

### Can I use Cloudsmith to cache public registry dependencies in my GitHub Actions workflows?

Yes. Cloudsmith supports upstream proxying for all major public registries. You configure your workflow to pull from a Cloudsmith upstream-backed repository, and Cloudsmith caches the packages on first download. Subsequent workflow runs are faster and protected from upstream outages or package removals.

### Can I use an API key instead of OIDC if my workflow cannot use OIDC?

Yes. Pass your Cloudsmith API key as a GitHub Actions secret and reference it in the cloudsmith-cli-action using the api-key input. OIDC is strongly recommended for security, but API key authentication is fully supported for legacy setups or environments where OIDC is not available.

### How do I enforce artifact policies from GitHub Actions pipelines?

Policies are configured on your Cloudsmith repositories, not on the pipeline itself. When a workflow pushes a package, Cloudsmith's policy engine evaluates it against your vulnerability rules, license policies, and OPA Rego-based Enterprise Policy Manager rules automatically. You do not need to add any extra workflow steps.

### Can I see which GitHub Actions workflow pushed a specific artifact?

Cloudsmith's client logs and audit logs record every push event, including the credential and service account used. When combined with OIDC, the token claims provide a direct trace back to the specific GitHub repository, workflow, and branch that triggered the push.

### Is there a limit on how many packages I can publish from GitHub Actions?

Cloudsmith does not impose arbitrary artifact count limits. Storage and throughput are governed by your Cloudsmith plan. Unlike GitHub Actions' built-in artifact storage, which applies per-repository quotas and 90-day expiry, packages stored in Cloudsmith repositories persist until you choose to delete or apply retention rules.
