Google CloudBuild

How to integrate Google CloudBuild with Cloudsmith

Cloudsmith can be used as a target for all the assets created using Google CloudBuild. This guide shows you how to use the Cloudsmith CLI to upload/push a Python package to your Cloudsmith repo.

All formats are supported.

Getting Started

Integrating Cloudsmith as part of your Google CloudBuild project is as simple as installing the Cloudsmith CLI during your build and then using the cloudsmith push command to upload the artifacts from your build process to your Cloudsmith repository.

Adding your API Key to Google Cloud

In order to use the Cloudsmith CLI with Google CloudBuild, we recommend that you create a Cloudsmith service account and use its API key instead of a personal API key. This is more secure, easier to audit, and better suited for CI/CD environments like Google CloudBuild.

You can create and manage service accounts in Cloudsmith by following this guide:

Once you’ve created a service account and generated its API key, we recommend that you add the key as an environment variable using Google Secret Manager.

📘

Authentication best practices

We do not recommend adding the API-Key itself directly into the cloudbuild.yaml file for your Google CloudBuild project, as it will then be revealed in any resulting logs from the build.

Step 1: Store the API key in Google Secret Manager

  1. Go to the Secret Manager page in the Google Cloud Console.
  2. Click + CREATE SECRET.
  3. In the Name field, enter CLOUDSMITH_API_KEY.
  4. In the Secret value field, paste your Cloudsmith service account API key.
  5. Leave other settings as default or configure as needed.
  6. Click CREATE SECRET.

Step 2: Grant Cloud Build access to the secret

Your Cloud Build service account (usually [PROJECT_NUMBER]@cloudbuild.gserviceaccount.com) needs permission to access the secret.

  1. Go to the Secret Manager page.
  2. Click on the CLOUDSMITH_API_KEY secret.
  3. Go to the PERMISSIONS tab.
  4. Click + GRANT ACCESS.
  5. In New principals, enter your Cloud Build service account.
  6. Under Select a role, choose Secret Manager Secret Accessor.
  7. Click SAVE.

Step 3: Reference the secret in cloudbuild.yaml

To reference a secret stored in Google Secrets Manager in your Google CloudBuild cloudbuild.yaml file you would use the following syntax:

steps:
  - name: 'python'
    secretEnv: ['CLOUDSMITH_API_KEY']

For further details on obtaining your Cloudsmith API Key, see:

For further details on using Google Secrets Manager with Google CloudBuild see:

Adding the Cloudsmith CLI to your CloudBuild Project

To add the Cloudsmith CLI to your Google CloudBuild Project, add the following command to the cloudbuild.yaml file:

    - pip install cloudsmith-cli

Uploading a built artifact to Cloudsmith

To upload an artifact from a build to a Cloudsmith repository, add the cloudsmith push command in cloudbuild.yaml file:

    - cloudsmith push FORMAT OWNER/REPOSITORY FILENAME

Please see the Cloudsmith CLI documentation for more details of the syntax of the cloudsmith push command and the Supported Formats page for examples of the cloudsmith push command for each supported format.

Example cloudbuild.yaml

Here’s a complete working example that builds a Python package and uploads it to a Cloudsmith repository:

steps:

  - name: 'python'
    entrypoint: bash
    secretEnv: ['CLOUDSMITH_API_KEY']
    args:
      - '-c'
      - |
        echo "Setting up virtualenv and installing Cloudsmith CLI..."
        python3 -m venv venv
        source venv/bin/activate
        pip install --upgrade pip setuptools wheel cloudsmith-cli

        echo "Building package..."
        python setup.py sdist bdist_wheel

        echo "Authenticating with Cloudsmith..."
        cloudsmith whoami 

        echo "Pushing package to Cloudsmith..."
        cloudsmith push python ORG_NAME/REPO_NAME dist/*.whl

availableSecrets:
  secretManager:
    - versionName: projects/your-gcp-project-id/secrets/CLOUDSMITH_API_KEY/versions/latest
      env: CLOUDSMITH_API_KEY
  • Replace your-org/your-repo with your actual Cloudsmith organization/repository name.
  • Also update your-gcp-project-id with your actual Google Cloud project ID.

Support

As always, if you have any questions about integration or would like some general advice, please contact support.


Cloudsmith is the new standard in Package / Artifact Management and Software Distribution

With support for all major package formats, you can trust us to manage your software supply chain.


Start My Free Trial Now
Cookie Declaration (Manage Cookies)