feat: add Docker credential helper for Cloudsmith registries#277
Open
cloudsmith-iduffy wants to merge 5 commits into
Open
feat: add Docker credential helper for Cloudsmith registries#277cloudsmith-iduffy wants to merge 5 commits into
cloudsmith-iduffy wants to merge 5 commits into
Conversation
cloudsmith-iduffy
force-pushed
the
iduffy/credential-helper-base
branch
from
31f616c to
58327a3
Compare
cloudsmith-iduffy
force-pushed
the
iduffy/credential-provider-chain
branch
2 times, most recently
from
8b57884 to
0b0445c
Compare
cloudsmith-iduffy
force-pushed
the
iduffy/credential-helper-base
branch
from
58327a3 to
910a2cd
Compare
cloudsmith-iduffy
force-pushed
the
iduffy/credential-provider-chain
branch
from
0b0445c to
987c32f
Compare
cloudsmith-iduffy
force-pushed
the
iduffy/credential-helper-base
branch
from
910a2cd to
23ab3ad
Compare
cloudsmith-iduffy
force-pushed
the
iduffy/credential-provider-chain
branch
2 times, most recently
from
65d8c53 to
646c50a
Compare
cloudsmith-iduffy
force-pushed
the
iduffy/credential-helper-base
branch
from
23ab3ad to
0e03731
Compare
cloudsmith-iduffy
force-pushed
the
iduffy/credential-provider-chain
branch
from
646c50a to
5c2b23d
Compare
cloudsmith-iduffy
force-pushed
the
iduffy/credential-helper-base
branch
2 times, most recently
from
641bec5 to
5540a76
Compare
cloudsmith-iduffy
force-pushed
the
iduffy/credential-provider-chain
branch
from
6e1792c to
8862812
Compare
cloudsmith-iduffy
force-pushed
the
iduffy/credential-helper-base
branch
from
5540a76 to
2aad86a
Compare
cloudsmith-iduffy
force-pushed
the
iduffy/credential-provider-chain
branch
2 times, most recently
from
368db92 to
a60887d
Compare
cloudsmith-iduffy
force-pushed
the
iduffy/credential-helper-base
branch
2 times, most recently
from
4e72204 to
21fe5cf
Compare
cloudsmith-iduffy
force-pushed
the
iduffy/credential-provider-chain
branch
from
1cef871 to
b4b2583
Compare
cloudsmith-iduffy
force-pushed
the
iduffy/credential-helper-base
branch
from
21fe5cf to
d2cd0d1
Compare
estebangarcia
requested changes
Mar 25, 2026
Comment on lines
+68
to
72
| "console_scripts": [ | ||
| "cloudsmith=cloudsmith_cli.cli.commands.main:main", | ||
| "docker-credential-cloudsmith=cloudsmith_cli.credential_helpers.docker.wrapper:main", | ||
| ] | ||
| }, |
Contributor
There was a problem hiding this comment.
question: Have you tested this with the pyz ?
Contributor
Author
There was a problem hiding this comment.
It won't work with pyz, pyz just gives a single binary. It is good you call this out though, we will have a documentation task to have the user create their own wrapper to cloudsmith credential-helper docker
cloudsmith-iduffy
force-pushed
the
iduffy/credential-provider-chain
branch
from
74f874c to
f30e428
Compare
cloudsmith-iduffy
force-pushed
the
iduffy/credential-helper-base
branch
from
d2cd0d1 to
05fd479
Compare
Member
|
@copilot resolve the merge conflicts in this pull request |
Contributor
Merge conflicts are resolved in commit |
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
…ring sanitization' Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Contributor
There was a problem hiding this comment.
Pull request overview
Adds first-class Docker credential helper support to the Cloudsmith CLI so Docker can automatically fetch credentials for Cloudsmith registries (including custom domains), without requiring a manual docker login.
Changes:
- Adds a new
cloudsmith credential-helper dockercommand that implements Docker’s credential helper “get” flow. - Adds a
docker-credential-cloudsmithconsole-script wrapper entry point for Docker to invoke. - Introduces custom-domain discovery via Cloudsmith API with a filesystem cache to recognize Cloudsmith-hosted registries beyond
*.cloudsmith.io.
Reviewed changes
Copilot reviewed 10 out of 10 changed files in this pull request and generated 13 comments.
Show a summary per file
| File | Description |
|---|---|
| setup.py | Registers docker-credential-cloudsmith as a console_script entry point. |
| cloudsmith_cli/credential_helpers/docker/wrapper.py | Implements the Docker-invoked wrapper that delegates to the CLI subcommand. |
| cloudsmith_cli/credential_helpers/docker/credentials.py | Core logic to return Docker credential JSON for Cloudsmith registries. |
| cloudsmith_cli/credential_helpers/docker/init.py | Exposes Docker helper credential retrieval function. |
| cloudsmith_cli/credential_helpers/custom_domains.py | Fetches and caches org custom domains from the Cloudsmith API. |
| cloudsmith_cli/credential_helpers/common.py | Adds shared hostname extraction and Cloudsmith domain detection. |
| cloudsmith_cli/credential_helpers/init.py | Introduces the credential_helpers package. |
| cloudsmith_cli/cli/commands/credential_helper/docker.py | Adds the CLI command implementing Docker helper protocol “get”. |
| cloudsmith_cli/cli/commands/credential_helper/init.py | Defines the credential-helper command group and registers subcommands. |
| cloudsmith_cli/cli/commands/init.py | Ensures the new command group is imported/registered with the CLI. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
+151
to
+160
| if session is None: | ||
| session = requests.Session() | ||
|
|
||
| if api_key: | ||
| session.headers["Authorization"] = f"Bearer {api_key}" | ||
|
|
||
| host = api_host or "https://api.cloudsmith.io" | ||
| url = f"{host}/orgs/{org}/custom-domains/" | ||
|
|
||
| response = session.get(url, timeout=10) |
Comment on lines
+187
to
+189
| for item in data: | ||
| if isinstance(item, dict) and "host" in item: | ||
| domains.append(item["host"]) |
| Reads a Docker registry server URL from stdin and returns credentials in JSON format. | ||
| This command implements the 'get' operation of the Docker credential helper protocol. | ||
|
|
||
| Only provides credentials for Cloudsmith Docker registries (docker.cloudsmith.io). |
Comment on lines
+18
to
+21
| @click.command() | ||
| @common_api_auth_options | ||
| @resolve_credentials | ||
| def docker(opts): |
| import logging | ||
| import time | ||
| from pathlib import Path | ||
| from typing import List, Optional |
| @@ -0,0 +1,199 @@ | |||
| """ | |||
| @@ -0,0 +1,86 @@ | |||
| """ | |||
| @@ -0,0 +1,6 @@ | |||
| """ | |||
| @@ -0,0 +1,80 @@ | |||
| """ | |||
| @@ -0,0 +1,31 @@ | |||
| """ | |||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Implement the Docker credential helper protocol so Docker can automatically authenticate with Cloudsmith registries (including custom domains) without manual
docker login.Key changes:
cloudsmith credential-helper dockerCLI commanddocker-credential-cloudsmithwrapper binary (entry point)Type of Change
Additional Notes
Manually tested with: