Document Cloudsmith and GCP OIDC support for org-level private registries (#61003)

Copilot · kbukum1 · brettfo · web-flow · commit 88fa3eedf998 · 2026-05-02T05:20:50.000Z
Co-authored-by: kbukum1 &lt;kbukum1@github.com&gt;
Co-authored-by: brettfo &lt;926281+brettfo@users.noreply.github.com&gt;
Co-authored-by: mchammer01 &lt;42146119+mchammer01@users.noreply.github.com&gt;
diff --git a/content/code-security/how-tos/secure-at-scale/configure-organization-security/manage-usage-and-access/giving-org-access-private-registries.md b/content/code-security/how-tos/secure-at-scale/configure-organization-security/manage-usage-and-access/giving-org-access-private-registries.md
@@ -94,6 +94,8 @@ When you select **OIDC** as the authentication method for a private registry, ch
 
 * **Azure**: Enter the **Tenant ID** (Azure AD tenant ID) and **Client ID** (Azure AD application client ID). You must configure a federated credential in Azure AD that trusts {% data variables.product.github %}'s OIDC provider.
 * **AWS CodeArtifact**: Enter the **AWS Region**, **Account ID** (AWS account ID), **Role Name** (IAM role name), **Domain** (CodeArtifact domain), and **Domain Owner** (CodeArtifact domain owner / AWS account ID). You can optionally provide an **Audience**. You must configure an IAM OIDC identity provider in AWS that trusts {% data variables.product.github %}'s OIDC provider.
+* **Cloudsmith**: Enter the **Namespace** (Cloudsmith Organization namespace), **Service Account Slug** (Cloudsmith service account slug), and **Audience** (required). You can optionally provide an **API Host** (defaults to `api.cloudsmith.io`). You must configure an OpenID Connect provider in Cloudsmith that trusts {% data variables.product.github %}'s OIDC provider.
+* **Google Cloud Artifact Registry**: Enter the **Workload Identity Provider** (the full resource name of the Workload Identity Provider, for example `projects/PROJECT-NUMBER/locations/global/workloadIdentityPools/POOL/providers/PROVIDER`) and **Service Account** (the email of the GCP service account to impersonate). You can optionally provide an **Audience**. You must configure a Workload Identity Pool and Provider in GCP that trusts {% data variables.product.github %}'s OIDC provider.
 * **JFrog Artifactory**: Enter the **OIDC Provider Name**. You can optionally provide an **Audience** and **Identity Mapping Name**.
 
 The authentication type of a private registry cannot be changed after creation. To switch from OIDC to another authentication method, or vice versa, delete the existing registry and create a new one.
diff --git a/content/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/configuring-access-to-private-registries-for-dependabot.md b/content/code-security/how-tos/secure-your-supply-chain/manage-your-dependency-security/configuring-access-to-private-registries-for-dependabot.md
@@ -139,10 +139,12 @@ With OIDC-based authentication, {% data variables.product.prodname_dependabot %}
 
 {% endif %}
 
-{% data variables.product.prodname_dependabot %} supports OIDC authentication for any registry type that uses `username` and `password` authentication, when the registry is hosted on one of the following cloud providers:
+{% data variables.product.prodname_dependabot %} supports OIDC authentication for any registry type that uses `username` and `password` authentication, when the registry is hosted on one of the following providers:
 
 * AWS CodeArtifact
 * Azure DevOps Artifacts
+* Cloudsmith
+* Google Cloud Artifact Registry
 * JFrog Artifactory
 
 To configure OIDC authentication, you need to specify different values instead of `username` and `password` in your registry configuration.
@@ -177,6 +179,37 @@ registries:
     client-id: {% raw %}${{ secrets.AZURE_CLIENT_ID }}{% endraw %}
 ```
 
+### Cloudsmith
+
+Cloudsmith requires the values `namespace`, `service-slug`, and `audience`. The `api-host` field is optional and defaults to `api.cloudsmith.io`:
+
+```yaml
+registries:
+  my-cloudsmith-feed:
+    type: npm-registry
+    url: https://dl.cloudsmith.io/MY-NAMESPACE/MY-REPOSITORY/npm/
+    namespace: MY-NAMESPACE
+    service-slug: MY-SERVICE-SLUG
+    audience: https://github.com/GITHUB-ORG
+    api-host: api.cloudsmith.io  # if required by your feed
+```
+
+### Google Cloud Artifact Registry
+
+Google Cloud Artifact Registry requires the values `url` and
+`workload-identity-provider`. The values `service-account` and `audience` are
+optional:
+
+```yaml
+registries:
+  my-gcp-artifact-registry:
+    type: docker-registry
+    url: https://REGION-docker.pkg.dev
+    workload-identity-provider: projects/PROJECT-NUMBER/locations/global/workloadIdentityPools/POOL/providers/PROVIDER
+    service-account: SA-NAME@PROJECT-ID.iam.gserviceaccount.com  # if required by your provider
+    audience: MY-AUDIENCE  # if required by your provider
+```
+
 ### JFrog Artifactory
 
 JFrog Artifactory requires the values `url` and `jfrog-oidc-provider-name`.  The values `audience` and `identity-mapping-name` are optional:
