Skip to content

Added guidance for configuring Cloudsmith as a private registry #34047

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
wants to merge 6 commits into from
Closed
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
Expand Up @@ -42,6 +42,7 @@ You'll also find recommendations for the setup of the following registry hosts:

* [Artifactory](#artifactory)
* [Azure Artifacts](#azure-artifacts)
* [Cloudsmith](#cloudsmith)
* [{% data variables.product.prodname_registry %} registry](#github-packages-registry)
* [Nexus](#nexus)
* [ProGet](#proget)
Expand All @@ -52,7 +53,7 @@ You'll also find recommendations for the setup of the following registry hosts:

### Bundler

Supported by Artifactory, Artifacts, {% data variables.product.prodname_registry %} registry, Nexus, and ProGet.
Supported by Artifactory, Artifacts, Cloudsmith, {% data variables.product.prodname_registry %} registry, Nexus, and ProGet.

You can authenticate with either a username and password, or a token. For more information, see `ruby-gems` in "[AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#rubygems-server)."

Expand Down Expand Up @@ -323,7 +324,7 @@ Registries should be configured using the `https` protocol.

### Nuget

Supported by Artifactory, Artifacts, {% data variables.product.prodname_registry %} registry, Nexus, and ProGet.
Supported by Artifactory, Artifacts, Cloudsmith, {% data variables.product.prodname_registry %} registry, Nexus, and ProGet.

The `nuget-feed` type supports username and password, or token. For more information, see `nuget-feed` in "[AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#nuget-feed)."

Expand Down Expand Up @@ -406,7 +407,7 @@ pub supports URL and token authentication. The URL used for the registry should

### Python

Supported by Artifactory, Azure Artifacts, Nexus, and ProGet. The {% data variables.product.prodname_registry %} registry is not supported.
Supported by Artifactory, Azure Artifacts, Cloudsmith, Nexus, and ProGet. The {% data variables.product.prodname_registry %} registry is not supported.

The `python-index` type supports username and password, or token. For more information, see `python-index` in "[AUTOTITLE](/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#python-index)."

Expand Down Expand Up @@ -621,6 +622,38 @@ The Azure Artifacts password must be an unencoded token and should include a `:`

You can check whether the private registry is successfully accessed by looking at the {% data variables.product.prodname_dependabot %} logs.

### Cloudsmith

For information about Cloudsmith and instructions on how to configure {% data variables.product.prodname_dependabot %} to work with Cloudsmith, see [Getting Started with Cloudsmith](https://help.cloudsmith.io/docs/welcome-to-cloudsmith-docs) and [Integrate Github Dependabot with Cloudsmith](https://help.cloudsmith.io/docs/dependabot), respectively.

#### Upstreams to remote repositories

Cloudsmith Upstreams proxy and cache dependencies into Cloudsmith from remote or public repositories. Instead of directly accessing a public repository (e.g., PyPI, Maven Central, Gradle, or NuGet), Cloudsmith proxies and caches the required dependencies. By caching packages from upstream sources, Cloudsmith ensures uninterrupted access to critical dependencies, mitigates risks associated with external service disruptions, optimizes package retrieval, and strengthens supply chain security. For more information, see [Upstreams](https://help.cloudsmith.io/docs/upstream-proxying-caching) in the Cloudsmith documentation.

If the `replaces-base` setting is set to `true`, Dependabot will use the specified Cloudsmith URL as the primary source for dependencies instead of the default public repository for that package ecosystem. This means you should configure a corresponding Cloudsmith upstream to ensure Dependabot checks Cloudsmith first for dependencies. Here's an example configuration for Python:

```yaml
version: 2
registries:
cloudsmith:
type: python-index
url: https://dl.cloudsmith.io/basic/YOUR-ORG/YOUR-REPO/python/
username: "${{ secrets.CLOUDSMITH_USER_NAME }}"
password: "${{ secrets.CLOUDSMITH_API_KEY }}"
replaces-base: true

updates:
- package-ecosystem: "pip"
directory: "/"
schedule:
interval: "daily"
registries:
- cloudsmith
commit-message:
prefix: "deps"
open-pull-requests-limit: 10
```

Comment on lines +625 to +656
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This seems like just a normal registry configuration for pip, no need to add an explicit example for it, I think if we just mention that Cloudsmith is supported that should be sufficient for users to figure out how to set it up.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Will I make a new PR, just mentioning Cloudsmith?

Thanks again for reviewing this

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Closing this PR given the incoming new PR 💛

### {% data variables.product.prodname_registry %} registry

For information about {% data variables.product.prodname_registry %} registries, see "[AUTOTITLE](/packages/working-with-a-github-packages-registry)." From that article, you can access pages describing how to configure the following registries.
Expand Down