Added guidance for configuring Cloudsmith as a private registry #34047
Conversation
Cloudsmith is a Cloud Native Artifact Management Platform that supports 30+ formats and integrates with Dependabot. Cloudsmith's support for Dependabot has been tested and we have documented it on our site: https://help.cloudsmith.io/docs/dependabot.
|
Thanks for opening this pull request! A GitHub docs team member should be by to give feedback soon. In the meantime, please check out the contributing guidelines. |
github-actions
bot
added
the
triage
Automatically generated comment ℹ️This comment is automatically generated and will be overwritten every time changes are committed to this branch. The table contains an overview of files in the Content directory changesYou may find it useful to copy this table into the pull request summary. There you can edit it to share links to important articles or changes and to give a high-level overview of how the changes in your pull request support the overall goals of the pull request.
fpt: Free, Pro, Team |
nguyenalex836
added
content
|
@ciaracarey Thanks so much for opening a PR! I'll get this triaged for review ✨ |
nguyenalex836
added
the
needs SME
|
Thanks for opening a pull request! We've triaged this issue for technical review by a subject matter expert 👀 |
|
@ciaracarey Thank you for opening a PR! Per our “About contributing to GitHub Docs” article -
For this reason, we will be closing this PR. If you would like to update our docs with content outside of third-party tools or integrations, feel free to open another PR or issue 💛 |
|
thanks @nguyenalex836 A few other artifact management tools were mentioned on this page, so I thought it would be helpful to our joint customers. |
|
@ciaracarey I'll check with our team to see if this would be acceptable, and will provide an update as soon as I have more info! |
nguyenalex836
removed
the
waiting for review
github-actions
bot
added
the
triage
nguyenalex836
removed
the
triage
| ### Cloudsmith | ||
|
|
||
| For information about Cloudsmith and instructions on how to configure {% data variables.product.prodname_dependabot %} to work with Cloudsmith, see [Getting Started with Cloudsmith](https://help.cloudsmith.io/docs/welcome-to-cloudsmith-docs) and [Integrate Github Dependabot with Cloudsmith](https://help.cloudsmith.io/docs/dependabot), respectively. | ||
|
|
||
| #### Upstreams to remote repositories | ||
|
|
||
| Cloudsmith Upstreams proxy and cache dependencies into Cloudsmith from remote or public repositories. Instead of directly accessing a public repository (e.g., PyPI, Maven Central, Gradle, or NuGet), Cloudsmith proxies and caches the required dependencies. By caching packages from upstream sources, Cloudsmith ensures uninterrupted access to critical dependencies, mitigates risks associated with external service disruptions, optimizes package retrieval, and strengthens supply chain security. For more information, see [Upstreams](https://help.cloudsmith.io/docs/upstream-proxying-caching) in the Cloudsmith documentation. | ||
|
|
||
| If the `replaces-base` setting is set to `true`, Dependabot will use the specified Cloudsmith URL as the primary source for dependencies instead of the default public repository for that package ecosystem. This means you should configure a corresponding Cloudsmith upstream to ensure Dependabot checks Cloudsmith first for dependencies. Here's an example configuration for Python: | ||
|
|
||
| ```yaml | ||
| version: 2 | ||
| registries: | ||
| cloudsmith: | ||
| type: python-index | ||
| url: https://dl.cloudsmith.io/basic/YOUR-ORG/YOUR-REPO/python/ | ||
| username: "${{ secrets.CLOUDSMITH_USER_NAME }}" | ||
| password: "${{ secrets.CLOUDSMITH_API_KEY }}" | ||
| replaces-base: true | ||
|
|
||
| updates: | ||
| - package-ecosystem: "pip" | ||
| directory: "/" | ||
| schedule: | ||
| interval: "daily" | ||
| registries: | ||
| - cloudsmith | ||
| commit-message: | ||
| prefix: "deps" | ||
| open-pull-requests-limit: 10 | ||
| ``` | ||
|
|
There was a problem hiding this comment.
This seems like just a normal registry configuration for pip, no need to add an explicit example for it, I think if we just mention that Cloudsmith is supported that should be sufficient for users to figure out how to set it up.
There was a problem hiding this comment.
Will I make a new PR, just mentioning Cloudsmith?
Thanks again for reviewing this
There was a problem hiding this comment.
Closing this PR given the incoming new PR 💛
Added guidance for configuring Cloudsmith as a private registry
Cloudsmith is a Cloud Native Artifact Management Platform that supports 30+ formats and integrates with Dependabot.
Cloudsmith's support for Dependabot has been tested and we have documented it on our site: https://help.cloudsmith.io/docs/dependabot.
Why:
Closes:
What's being changed (if available, include any code snippets, screenshots, or gifs):
Check off the following:
I have reviewed my changes in staging, available via the View deployment link in this PR's timeline (this link will be available after opening the PR).
datadirectory.For content changes, I have completed the self-review checklist.