Skip to main content

Cloudsmith

Upload packages to Cloudsmith repositories

Anodizer can upload deb, rpm, and apk packages to Cloudsmith repositories.

Classification

GroupRequired (default)RollbackToken scope
Assetsfalsestructured warn line per (org, repo, filename) tuple (DELETE migration pending)CLOUDSMITH_API_KEY package_delete

See Release resilience for the full classification table and the Submitter gate semantics.

The required: field

Default: false — a Cloudsmith upload failure is logged but does not fail the release.

Set required: true to make the release exit non-zero if this publisher fails:

cloudsmiths:
  - organization: myorg
    repository: myrepo
    required: true

See Publish overview — the required: field for the full semantics.

Minimal config

cloudsmiths:
  - organization: myorg
    repository: myrepo

Full config reference

cloudsmiths:
  - organization: myorg          # required
    repository: releases         # required
    formats:                     # default: [apk, deb, rpm]
      - deb
      - rpm
    distributions:               # per-format distribution tag
      deb: "ubuntu/jammy"
      rpm: "el/8"
      alpine: "alpine/any-version"
    component: main              # deb only
    secret_name: CLOUDSMITH_TOKEN
    republish: true              # allow overwriting existing versions
    keep_versions: 3             # keep 3 newest releases, prune older (opt-in)
    ids: []                      # filter by build IDs
    exclude: []                  # drop packages whose name matches a glob
    skip: false                  # skip this config

Excluding sidecars with exclude

exclude is a list of globs matched against each artifact's file name; anodizer drops every package whose name matches at least one glob from this CloudSmith repository only. Use it to keep heavy sidecars (checksums, signatures, SBOMs) off a repository while .deb / .rpm / .apk packages still upload.

cloudsmiths:
  - organization: my-org
    repository: my-repo
    exclude:
      - "*.sha256"
      - "*.sig"
      - "*.cdx.json"

exclude composes with ids: and formats: — a package uploads only when it passes every filter. An empty or unset exclude keeps everything. Globs are validated at config-load; an exclude that drops every candidate raises a warning so a typo'd glob is never a silent empty upload.

Authentication

VariableDescription
CLOUDSMITH_TOKENCloudsmith API key (or custom name via secret_name)

Common gotchas

  • If distributions is omitted, packages are uploaded without a distribution tag; some Cloudsmith repo configurations require a valid distribution to index the package.
  • The component field only affects deb packages. Setting it for rpm or apk has no effect.
  • Format detection is by file extension: .apk maps to alpine (not apk) in the config.

Republish / update behavior

When republish: true, anodizer opts into the Cloudsmith API's explicit replace-prior-version path, preventing MD5 conflicts when re-cutting a version. See Recovery flags: cloudsmith.republish for the full mechanism.

Retention: keep_versions

keep_versions: N retains only the N most-recent release versions of each published package, pruning older ones from the repository after a successful upload. It is the durable remedy for storage-capped repositories — notably the Cloudsmith free plan's 500 MB limit, which offers no server-side retention policy.

cloudsmiths:
  - organization: myorg
    repository: releases
    keep_versions: 3   # keep the 3 newest releases, prune anything older

Behavior:

  • Opt-in and destructive. Leaving keep_versions unset (the default) prunes nothing. keep_versions: 0 is rejected — anodizer never prunes every version.
  • Per package. After upload, anodizer lists every version of this package, ranks the distinct releases by SemVer (newest first), keeps the top N — always including the version just published — and deletes every artifact (all formats and architectures) of versions ranked beyond N. Other packages sharing the repository are untouched.
  • Format-aware. The deb/rpm epoch (1:0.9.1-1) and apk revision (0.9.1-r1) suffixes are normalized to the base SemVer (0.9.1), so keeping 2 versions keeps every .deb/.rpm/.apk of the two newest releases — not two formats of one release.
  • Best-effort, non-fatal. Pruning runs only after the upload (the real work) has already succeeded, is skipped in dry-run and snapshot mode, and a list/delete failure emits a prominent warning and continues — it never fails the release or rolls anything back.

The per-package summary appears at default verbosity (pruned M old artifact(s) … (kept N most-recent: 0.9.1, 0.9.0, …)); per-artifact DELETE detail is shown under -v.

Cloudsmith config fields

FieldTypeDefaultDescription
organizationstringrequiredCloudsmith organization name (template)
repositorystringrequiredCloudsmith repository name (template)
idslistnoneFilter by build IDs
formatslist["apk", "deb", "rpm"]Package format filter
distributionsmapnoneDistribution mapping per format (e.g., deb: "ubuntu/focal")
componentstringnoneDebian component name (e.g., "main")
secret_namestringCLOUDSMITH_TOKENEnvironment variable name for the API key
skipstring/boolnoneSkip this config
republishstring/boolfalseAllow overwriting existing package versions. See Recovery flags.
keep_versionsintegernoneRetain only the N newest releases per package, pruning older ones after upload (opt-in, destructive, best-effort). See Retention.

Format detection

Packages are matched by file extension:

ExtensionFormat
.debdeb
.rpmrpm
.apkalpine
otherraw

Distribution mapping

Map package formats to specific distributions:

cloudsmiths:
  - organization: myorg
    repository: myrepo
    distributions:
      deb: "ubuntu/focal"
      rpm: "el/8"
    component: main

Full example

cloudsmiths:
  - organization: myorg
    repository: releases
    formats:
      - deb
      - rpm
    distributions:
      deb: "ubuntu/jammy"
    component: main
    republish: true