From 77319452b57729cd7f5f5538ad3c3092129411e2 Mon Sep 17 00:00:00 2001 From: Bartosz Blizniak Date: Fri, 8 May 2026 13:41:20 +0100 Subject: [PATCH 1/3] release v2.0.3 --- CHANGELOG.md | 5 ++++- dist/index.js | 2 +- package.json | 2 +- 3 files changed, 6 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 66f59cf..8c30718 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,13 +7,16 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ## [Unreleased] --- + +## [2.0.3] - 2026-05-08 +--- ### Security - Mask the OIDC-issued Cloudsmith API token as a secret so it is replaced with `***` in any subsequent workflow log line. The token was previously exported via `core.exportVariable("CLOUDSMITH_API_KEY", token)` and `core.setOutput('oidc-token', token)` without first calling `core.setSecret(token)`, so a downstream step that printed `$CLOUDSMITH_API_KEY` (e.g. via `set -x` or accidental `echo`) would leak the bearer token in clear text. ### Fixed -- `pip-install: 'true'` now correctly installs `cloudsmith-cli` from the Cloudsmith package index. The previous implementation passed `--index-url=...` as the third positional argument to `@actions/exec`'s `exec()`, which is the **options** object — not extra CLI args — so the flag was silently dropped and pip resolved `cloudsmith-cli` from the default index (PyPI) instead. +- `pip-install: 'true'`: the Cloudsmith Python index URL is now actually forwarded to `pip install`. Previously, `--index-url=...` was passed as the third positional argument to `@actions/exec`'s `exec()` (which is the **options** object, not extra CLI args), so the flag was silently dropped and `cloudsmith-cli` was resolved from PyPI alone. The flag is now passed inside the args array as `--extra-index-url=...`, so pip uses the Cloudsmith index for the `cloudsmith-cli` package while still resolving transitive dependencies (`click`, `click-configfile`, etc.) from PyPI. ## [2.0.1] - 2025-12-23 --- diff --git a/dist/index.js b/dist/index.js index 811ee0f..98739d1 100644 --- a/dist/index.js +++ b/dist/index.js @@ -26595,7 +26595,7 @@ async function authenticate( // Register the token as a secret BEFORE exposing it via env var or // step output, so any subsequent log line containing the literal - // token bytes is masked as `***`. Must precede `exportVariable` and + // token value is masked as `***`. Must precede `exportVariable` and // `setOutput` so no intermediate log can leak the value. core.setSecret(token); diff --git a/package.json b/package.json index 4ea635f..665bf07 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "cloudsmith-github-action", - "version": "2.0.1", + "version": "2.0.3", "description": "A GitHub Action to install Cloudsmith CLI and authenticate using OIDC", "main": "dist/index.js", "engines": { From 071836311e3fe2a6bf20c737240d71ec532c2133 Mon Sep 17 00:00:00 2001 From: Bartosz Blizniak Date: Fri, 8 May 2026 13:42:54 +0100 Subject: [PATCH 2/3] chore: remove deprecated husky v9 init lines --- .husky/pre-commit | 3 --- 1 file changed, 3 deletions(-) mode change 100644 => 100755 .husky/pre-commit diff --git a/.husky/pre-commit b/.husky/pre-commit old mode 100644 new mode 100755 index c7b9209..40749ae --- a/.husky/pre-commit +++ b/.husky/pre-commit @@ -1,6 +1,3 @@ -#!/usr/bin/env sh -. "$(dirname -- "$0")/_/husky.sh" - # Ensure dependencies are installed (skip if CI environment variable present) if [ -f package.json ] && [ ! -d node_modules ]; then echo "[husky] Installing dependencies..." From ef84ef583b032836346ae5929819b0fcd3abf178 Mon Sep 17 00:00:00 2001 From: Bartosz Blizniak Date: Fri, 8 May 2026 13:54:04 +0100 Subject: [PATCH 3/3] reword changelog --- .husky/pre-commit | 2 ++ CHANGELOG.md | 2 +- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/.husky/pre-commit b/.husky/pre-commit index 40749ae..b115336 100755 --- a/.husky/pre-commit +++ b/.husky/pre-commit @@ -1,3 +1,5 @@ +#!/usr/bin/env sh + # Ensure dependencies are installed (skip if CI environment variable present) if [ -f package.json ] && [ ! -d node_modules ]; then echo "[husky] Installing dependencies..." diff --git a/CHANGELOG.md b/CHANGELOG.md index 8c30718..66286e2 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -16,7 +16,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ### Fixed -- `pip-install: 'true'`: the Cloudsmith Python index URL is now actually forwarded to `pip install`. Previously, `--index-url=...` was passed as the third positional argument to `@actions/exec`'s `exec()` (which is the **options** object, not extra CLI args), so the flag was silently dropped and `cloudsmith-cli` was resolved from PyPI alone. The flag is now passed inside the args array as `--extra-index-url=...`, so pip uses the Cloudsmith index for the `cloudsmith-cli` package while still resolving transitive dependencies (`click`, `click-configfile`, etc.) from PyPI. +- `pip-install: 'true'`: the Cloudsmith Python index URL is now actually forwarded to `pip install`. Previously, `--index-url=...` was passed as the third positional argument to `@actions/exec`'s `exec()` (which is the **options** object, not extra CLI args), so the flag was silently dropped and `cloudsmith-cli` was resolved from PyPI alone. The flag is now passed inside the args array as `--extra-index-url=...`, so pip searches both PyPI and the Cloudsmith index when resolving `cloudsmith-cli` and its transitive dependencies (`click`, `click-configfile`, etc.). ## [2.0.1] - 2025-12-23 ---