cloudsmith-io · BartoszBlizniak · May 8, 2026 · May 8, 2026 · May 8, 2026 · May 8, 2026
diff --git a/.husky/pre-commit b/.husky/pre-commit
@@ -1,5 +1,4 @@
 #!/usr/bin/env sh
-. "$(dirname -- "$0")/_/husky.sh"
 
 # Ensure dependencies are installed (skip if CI environment variable present)
 if [ -f package.json ] && [ ! -d node_modules ]; then

diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -7,13 +7,16 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 ---
+
+## [2.0.3] - 2026-05-08
+---
 ### Security
 
 - Mask the OIDC-issued Cloudsmith API token as a secret so it is replaced with `***` in any subsequent workflow log line. The token was previously exported via `core.exportVariable("CLOUDSMITH_API_KEY", token)` and `core.setOutput('oidc-token', token)` without first calling `core.setSecret(token)`, so a downstream step that printed `$CLOUDSMITH_API_KEY` (e.g. via `set -x` or accidental `echo`) would leak the bearer token in clear text.
 
 ### Fixed
 
-- `pip-install: 'true'` now correctly installs `cloudsmith-cli` from the Cloudsmith package index. The previous implementation passed `--index-url=...` as the third positional argument to `@actions/exec`'s `exec()`, which is the **options** object — not extra CLI args — so the flag was silently dropped and pip resolved `cloudsmith-cli` from the default index (PyPI) instead.
+- `pip-install: 'true'`: the Cloudsmith Python index URL is now actually forwarded to `pip install`. Previously, `--index-url=...` was passed as the third positional argument to `@actions/exec`'s `exec()` (which is the **options** object, not extra CLI args), so the flag was silently dropped and `cloudsmith-cli` was resolved from PyPI alone. The flag is now passed inside the args array as `--extra-index-url=...`, so pip searches both PyPI and the Cloudsmith index when resolving `cloudsmith-cli` and its transitive dependencies (`click`, `click-configfile`, etc.).
 
 ## [2.0.1] - 2025-12-23
 ---

diff --git a/dist/index.js b/dist/index.js
@@ -26595,7 +26595,7 @@ async function authenticate(
 
         // Register the token as a secret BEFORE exposing it via env var or
         // step output, so any subsequent log line containing the literal
-        // token bytes is masked as `***`. Must precede `exportVariable` and
+        // token value is masked as `***`. Must precede `exportVariable` and
         // `setOutput` so no intermediate log can leak the value.
         core.setSecret(token);
 

diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "cloudsmith-github-action",
-  "version": "2.0.1",
+  "version": "2.0.3",
   "description": "A GitHub Action to install Cloudsmith CLI and authenticate using OIDC",
   "main": "dist/index.js",
   "engines": {