feat: add OIDC credential auto-discovery#276
Open
cloudsmith-iduffy wants to merge 6 commits into
Open
Conversation
cloudsmith-iduffy
force-pushed
the
iduffy/oidc-base
branch
from
595f343 to
267a002
Compare
cloudsmith-iduffy
force-pushed
the
iduffy/credential-provider-chain
branch
from
fd065ae to
8b57884
Compare
cloudsmith-iduffy
force-pushed
the
iduffy/oidc-base
branch
from
267a002 to
34c3c6d
Compare
cloudsmith-iduffy
force-pushed
the
iduffy/credential-provider-chain
branch
from
8b57884 to
0b0445c
Compare
cloudsmith-iduffy
force-pushed
the
iduffy/oidc-base
branch
from
34c3c6d to
62358e8
Compare
cloudsmith-iduffy
force-pushed
the
iduffy/credential-provider-chain
branch
from
0b0445c to
987c32f
Compare
cloudsmith-iduffy
force-pushed
the
iduffy/oidc-base
branch
2 times, most recently
from
4586a50 to
603470a
Compare
cloudsmith-iduffy
force-pushed
the
iduffy/credential-provider-chain
branch
from
987c32f to
65d8c53
Compare
cloudsmith-iduffy
force-pushed
the
iduffy/oidc-base
branch
from
603470a to
ea65f83
Compare
cloudsmith-iduffy
force-pushed
the
iduffy/credential-provider-chain
branch
from
65d8c53 to
646c50a
Compare
cloudsmith-iduffy
force-pushed
the
iduffy/oidc-base
branch
from
ea65f83 to
d47d674
Compare
cloudsmith-iduffy
force-pushed
the
iduffy/credential-provider-chain
branch
from
646c50a to
5c2b23d
Compare
cloudsmith-iduffy
force-pushed
the
iduffy/oidc-base
branch
3 times, most recently
from
6d0be0f to
0070269
Compare
cloudsmith-iduffy
force-pushed
the
iduffy/credential-provider-chain
branch
from
6e1792c to
8862812
Compare
cloudsmith-iduffy
force-pushed
the
iduffy/oidc-base
branch
from
0070269 to
97c2c36
Compare
cloudsmith-iduffy
force-pushed
the
iduffy/credential-provider-chain
branch
2 times, most recently
from
368db92 to
a60887d
Compare
cloudsmith-iduffy
force-pushed
the
iduffy/oidc-base
branch
2 times, most recently
from
04708a3 to
6ac94b8
Compare
cloudsmith-iduffy
changed the title
butlerx
approved these changes
Mar 19, 2026
cloudsmith-iduffy
force-pushed
the
iduffy/credential-provider-chain
branch
from
1cef871 to
b4b2583
Compare
cloudsmith-iduffy
force-pushed
the
iduffy/oidc-base
branch
2 times, most recently
from
207da81 to
f51bc86
Compare
cloudsmith-iduffy
force-pushed
the
iduffy/credential-provider-chain
branch
from
74f874c to
f30e428
Compare
Add AWS OIDC support as the final provider in the credential chain
(Keyring → CLIFlag → OIDC). When CLOUDSMITH_ORG and CLOUDSMITH_SERVICE_SLUG
are set, the CLI auto-detects the CI/CD environment, retrieves a vendor
OIDC JWT via STS GetWebIdentityToken, and exchanges it for a short-lived
Cloudsmith API token.
- AWS detector with boto3 session reuse and default audience ('cloudsmith')
- Token cache (keyring with filesystem fallback) checked before detection
- OIDC token exchange against POST /openid/{org}/
- CLI options: --oidc-org, --oidc-service-slug, --oidc-audience,
--oidc-discovery-disabled
- Optional dependency: pip install cloudsmith-cli[aws]
- Warning-level logs on OIDC failures for CI/CD debuggability
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
cloudsmith-iduffy
force-pushed
the
iduffy/oidc-base
branch
from
f51bc86 to
47293a5
Compare
Member
|
@copilot resolve the merge conflicts in this pull request |
Contributor
BartoszBlizniak
added a commit
to BartoszBlizniak/cloudsmith-cli
that referenced
this pull request
May 27, 2026
…Windows e2e cwd Three Windows-only fixes from run 26505942827: 1. Install `cryptography` explicitly during the build step. It is a transitive dep on Linux (via secretstorage) + macOS, but absent on Windows (WinVaultKeyring uses the native Windows API). Without it, PyInstaller logged "Hidden import 'cryptography.fernet' not found" and the frozen Windows binary's `check cryptography-selftest` failed with `No module named 'cryptography'`. Move it into setup.py install_requires once OIDC PR cloudsmith-io#276 lands a real call site. 2. Replace `ctx.exit(N)` with `sys.exit(N)` in the two selftest subcommands. On the Windows PyInstaller binary, Click's `ctx.exit(2)` printed the FAIL line but the process exit code reaching PowerShell was 0 — the in-step `if ($LASTEXITCODE -ne 0)` guard therefore did not throw and the step was marked green despite a real failure. `sys.exit` propagates through PyInstaller's bootloader correctly on every platform. Also drop the now-unused `@click.pass_context` decorator + `ctx` parameter for cleanliness. 3. Use an absolute path for `$bin` in the Push/pull e2e (Windows) step so `Set-Location e2e` does not invalidate the relative `.\out\cloudsmith-windows-amd64.exe` lookup. The matrix legs failed with "The term '.\out\cloudsmith-windows-amd64.exe' is not recognized as a name of a cmdlet …" after the cd. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
BartoszBlizniak
added a commit
to BartoszBlizniak/cloudsmith-cli
that referenced
this pull request
May 27, 2026
…yInstaller path) Carries the research-followups tracker onto the binary-poc branch and updates the four "Promote PyInstaller path" items (per §Suggested execution order): - #5 keyring round-trip: in-flight; selftest pivot documented (real keyring usage is SSO-only and not CI-scriptable, so the work uses a synthetic `check keyring-selftest` set/get/delete via the configured backend). CI gates the selftest per OS; signed-macOS retest blocked on Q#16. - #6 push/pull e2e: in-flight; new setup-test-repo job + per-target push/download/cmp described, results table populated as CI lands. - #7 native cryptography: in-flight; audit shows zero direct cryptography call sites in the CLI today (transitive via keyring → secretstorage on Linux), selftest covers it pending OIDC PR cloudsmith-io#276. - cloudsmith-io#13 cloudsmith-cli-action libc detection: design brief drafted — algorithm, URL shape, fallback policy, test matrix, implementation notes for an engineer with push perms to cloudsmith-io/cloudsmith-cli-action. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Add a new OIDC credential provider to the credential chain that
automatically detects CI/CD environments, retrieves a vendor OIDC JWT,
and exchanges it for a short-lived Cloudsmith API token.
Key changes:
awsextra)whoamicommand updated to display OIDC auth source