Skip to content

feat(eng-12002): Add metadata flag to push command#293

Open
BartoszBlizniak wants to merge 1 commit into
refactor/metadata-commonfrom
eng-12002-cli-push-time-metadata-flags
Open

feat(eng-12002): Add metadata flag to push command#293
BartoszBlizniak wants to merge 1 commit into
refactor/metadata-commonfrom
eng-12002-cli-push-time-metadata-flags

Conversation

@BartoszBlizniak
Copy link
Copy Markdown
Member

@BartoszBlizniak BartoszBlizniak commented May 11, 2026

Description

Adds push-time metadata flags to cloudsmith push <format> so SBOM / BuildInfo / generic JSON can be attached in a single command instead of a separate cloudsmith metadata add follow-up.

New flags on every push subcommand:

  • --metadata-content-file PATH (or - for stdin)
  • --metadata-content JSON
  • --metadata-content-type MIME
  • --metadata-source-identity TEXT

Flow:

  1. Resolve + JSON-object validation locally (once per push, even for multi-file uploads / stdin).
  2. Pre-validate payload via POST /v2/metadata/validate/ before any S3 upload — malformed metadata can no longer leave orphan packages.
  3. After create_package, attach metadata via POST /v2/metadata/.
  4. Failures are fatal by default (CI surfaces broken SBOMs). Opt out per push with CLOUDSMITH_METADATA_FAILURE_MODE=warn (or 0) to downgrade to a warning + copy-paste retry hint.
  5. Result is surfaced under metadata_attachment in JSON output (success and error envelopes).

Reuses shared metadata helpers from cli/metadata_common.py

Stacked on top of #292 (refactor/metadata-common). Base will retarget to master once #292 merges.

Type of Change

  • New feature
  • Refactoring
  • Bug fix
  • Breaking change
  • Documentation update
  • Other

Additional Notes

  • Default mode aborts the push on validation/attach failure with the HTTP status as the exit code. Setting $CLOUDSMITH_METADATA_FAILURE_MODE=warn will result in the package still being uploaded despite the metadata being invalid.

Examples

Push:

cloudsmith push raw ${ORG}/${REPO} payload.txt --name metadata-demo --version 1.0.0 --republish --metadata-content '{"build_id": "demo-inline", "git_sha": "abc123"}' --metadata-content-type application/json

Checking raw package upload parameters ... OK
Validating metadata content from inline ... OK
Checking payload.txt file upload parameters ... OK
Requesting file upload for payload.txt ... OK
Uploading payload.txt:  [####################################]  100%
Creating a new raw package ... OK
Created: bart-demo-org/821/payloadtxt-wu4u (bONvPYh5LfhH)
Attaching metadata to package bONvPYh5LfhH ... OK
Metadata attached: bart-demo-org/821/payloadtxt-wu4u/ATkdRL03Uwk6

Synchronising payloadtxt-wu4u:  [####################################]  100%  Completed / Fully Synchronised

Package synchronised successfully in 16.006934 second(s)!

Push with invalid metadata:

cloudsmith push raw ${ORG}/${REPO} payload.txt --name metadata-demo --version 1.0.0 --republish --metadata-content-file buildinfo-broken.json --metadata-content-type application/vnd.jfrog.buildinfo+json

Checking raw package upload parameters ... OK
Validating metadata content from buildinfo-broken.json ... FAILED
ERROR
Metadata content failed validation (HTTP 422): Invalid input. (status: 422 - Unprocessable Entity)

Detail: Invalid input.
Content Field: Content does not conform to the schema for content type 'application/vnd.jfrog.buildinfo+json'.

Push with invalid metadata and $CLOUDSMITH_METADATA_FAILURE_MODE set to warn:

CLOUDSMITH_METADATA_FAILURE_MODE=warn cloudsmith push raw ${ORG}/${REPO} payload.txt --name metadata-demo --version 1.0.0 --republish --metadata-content-file buildinfo-broken.json --metadata-content-type application/vnd.jfrog.buildinfo+json

Checking raw package upload parameters ... OK
Validating metadata content from buildinfo-broken.json ... FAILED
Metadata content failed validation (HTTP 422): Invalid input.
Package upload will continue without metadata. Unset $CLOUDSMITH_METADATA_FAILURE_MODE (or set it to ``error``) to fail the push instead.
Checking payload.txt file upload parameters ... OK
Requesting file upload for payload.txt ... OK
Uploading payload.txt:  [####################################]  100%
Creating a new raw package ... OK
Created: bart-demo-org/821/payloadtxt-6mm2 (H4Q1EDW8Gm2E)

Fix the metadata content, then run:
cloudsmith metadata add bart-demo-org/821/payloadtxt-6mm2 --file buildinfo-broken.json --content-type application/vnd.jfrog.buildinfo+json

Synchronising payloadtxt-6mm2:  [####################################]  100%  Completed / Fully Synchronised

Package synchronised successfully in 6.121764 second(s)!

@BartoszBlizniak BartoszBlizniak requested a review from a team as a code owner May 11, 2026 17:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@BartoszBlizniak