feat: add Bitbucket Pipelines OIDC detector#303
Merged
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
- Adds a Bitbucket Pipelines OIDC environment detector to the existing OIDC auto-discovery flow so the CLI can exchange Bitbucket-provided step OIDC JWTs for Cloudsmith API tokens.
Changes:
- Introduces
BitbucketPipelinesDetectorthat readsBITBUCKET_STEP_OIDC_TOKENfrom the environment. - Registers the new detector in the OIDC detector chain ahead of AWS detection.
- Adds unit tests covering detect/get_token behavior for the Bitbucket detector.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| cloudsmith_cli/core/tests/test_bitbucket_pipelines_detector.py | Adds unit tests for Bitbucket Pipelines detection and token retrieval. |
| cloudsmith_cli/core/credentials/oidc/detectors/bitbucket_pipelines.py | Implements the Bitbucket Pipelines OIDC environment detector. |
| cloudsmith_cli/core/credentials/oidc/detectors/init.py | Registers Bitbucket Pipelines detector in the auto-discovery chain. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
aa06d95 to
eb841f1
Compare
BartoszBlizniak
approved these changes
Jun 10, 2026
Add Bitbucket Pipelines to OIDC credential auto-discovery. When a pipeline step sets `oidc: true`, the CLI reads the OIDC token from the BITBUCKET_STEP_OIDC_TOKEN environment variable and exchanges it for a Cloudsmith access token. Works out of the box with no extra dependencies. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
9bf5c96 to
8774dfa
Compare
6 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Adds an OIDC environment detector for Bitbucket Pipelines, following the same pattern as the existing GitHub Actions / Azure DevOps / GitLab CI detectors.
Bitbucket injects an OIDC JWT into
BITBUCKET_STEP_OIDC_TOKENwhen a pipeline step setsoidc: true. The detector reads that variable and hands it to the standard Cloudsmith token exchange (/openid/{org}/withservice_slug); no audience handling is needed since Bitbucket sets the audience itself.bitbucket_pipelines.py—detect()checks the env var,get_token()returns it (clear error when absent)coresuite green, all pre-commit hooks passLive validation
Verified end-to-end against a real Bitbucket pipeline (org
iduffy-demo, servicebitbucket-y3j7) — build succeeded on a hosted runner, exercising detection → token fetch → Cloudsmith exchange → authenticated API call.Token claims minted by Bitbucket:
cloudsmith whoami --verbosein the pipeline:cloudsmith list repos iduffy-demothen returned repositories — confirming the exchanged token authenticates real API calls.🤖 Generated with Claude Code