Depot CI is currently in beta. We are inviting a limited number of users to participate in the beta. If you're interested in participating, please join the waitlist.
We are building Depot CI to provide a faster, more reliable, and more feature-rich CI provider for this new world of software engineering we are all living in.
The general architecture idea behind Depot CI consists of three parts:
The compute subsystem is responsible for executing the work that needs to be done. It receives the tasks to execute from the orchestrator, provisions the compute resources needed, and executes the work.
The orchestrator subsystem schedules multi-step workflows across the fleet of compute, handles dependencies between tasks, and monitors progress.
The GitHub Actions workflow parser takes an Actions-format YAML file and translates it into workflows for the orchestrator to process. It handles compatibility with how a regular Actions runner would execute a workflow, things like behavior, environment variables, and so on.
While Depot CI currently executes Actions-format YAML, the entire system is programmable, which we intend to expose directly via an API. The plan is for Depot CI to support arbitrary frontends that can represent a CI workflow or pipeline, with direct API access to workflows, orchestration, and compute sandboxes.
In this initial beta release, we are starting with a single frontend: GitHub Actions workflows. The goal here is to make it as easy as possible for you to get started with Depot CI while we test and iterate on the core functionality of the system.
Depot CI in this initial beta release is aimed to be a drop-in replacement for GitHub Actions that runs entirely within Depot. This means that you can use your existing GitHub Actions workflows and they will run within Depot CI.
For the beta, we highly recommend that you run Depot CI alongside GitHub Actions.
Things are expected to break and we'll be iterating quickly. So please keep your GitHub Actions workflows running alongside Depot CI so that you don't end up blocked by a broken workflow.
If you've used Claude Code on Depot, you'll already have the Depot Code Access app installed in your GitHub organization.
The depot ci migrate command automates getting started with Depot CI. It launches an interactive wizard that discovers your GitHub Actions workflows, analyzes them for Depot CI compatibility, copies your selected workflows to .depot/, and prompts you to configure any referenced secrets and variables.
Your original .github/ directory is left as-is, so your GitHub Actions workflows continue running in parallel while you test Depot CI.
Note: Your workflows will run simultaneously in GitHub and Depot. Be mindful of workflows that cause changes in external systems, for example that trigger a deploy or update an important artifact, because they will execute twice.
From the root of your repository, run:
depot ci migrate| Flag | Description |
|---|---|
--yes | Run in non-interactive mode, migrating all discovered workflows automatically |
--secret KEY=VALUE | Pre-supply a secret value; can be repeated for multiple secrets |
--var KEY=VALUE | Pre-supply a variable value; can be repeated for multiple variables |
--overwrite | Overwrite an existing .depot/ directory without prompting |
--org <id> | Specify a Depot organization ID (required if you belong to more than one organization) |
--token <token> | Depot API token |
For a full description of how the migrate command works, see the CLI reference.
You can use the Depot CLI to manage secrets and variables after you migrate.
View and manage your workflows from the Workflows page of your Depot dashboard.
You can also use the Depot CLI to:
We are keeping track of the GitHub Actions syntax, triggers, and configuration that we are compatible with. See the following compatibility tables.
Syntax and keys at the workflow level that are supported.
| Field | Purpose | Supported | Notes |
|---|---|---|---|
name | Workflow display name | ✅ | |
run-name | Dynamic run title | ✅ | |
on | Workflow triggers | ✅ | |
on.workflow_call | Reusable workflow definition | ✅ | |
on.workflow_call.inputs | Reusable workflow inputs | ✅ | |
permissions | Token scopes | 🔨 | Done. With the exception of OIDC. |
env | Workflow environment variables | ✅ | |
defaults | Default settings (shell, working-directory) | ✅ | |
concurrency | Concurrency control | 🔨 | In progress |
jobs | Jobs definition | ✅ |
on.*)Triggers that can kick off a Depot CI workflow today.
| Field | Event type | Supported | Notes |
|---|---|---|---|
on.<event_name> | Event triggers | ✅ | |
on.<event_name>.types | Event trigger types | ✅ | |
on.push.branches | Push branch filters | ✅ | |
on.push.tags | Push tag filters | ✅ | |
on.pull_request | GitHub specific event trigger | ✅ | |
on.pull_request.branches | PR branch filters | ✅ | |
on.pull_request_target | GitHub specific event trigger | ✅ | |
on.*.paths | Path filters | ✅ | |
on.schedule | Cron schedule triggers | ✅ | |
on.workflow_call.inputs.* | Reusable workflow inputs (type, default, required) | ✅ | |
on.workflow_call.outputs | Reusable workflow outputs | ✅ | |
on.workflow_call.secrets | Reusable workflow secrets definition | ✅ | |
on.workflow_run | Workflow run triggers | ✅ | |
on.workflow_dispatch | Manual dispatch triggers | ✅ | |
on.workflow_dispatch.inputs | Manual dispatch inputs | ✅ | |
on.branch_protection_rule | GitHub specific event trigger | ❌ | |
on.check_run | GitHub specific event trigger | ❌ | |
on.check_suite | GitHub specific event trigger | ❌ | |
on.create | GitHub specific event trigger | ❌ | |
on.delete | GitHub specific event trigger | ❌ | |
on.deployment | GitHub specific event trigger | ❌ | |
on.deployment_status | GitHub specific event trigger | ❌ | |
on.discussion | GitHub specific event trigger | ❌ | |
on.discussion_comment | GitHub specific event trigger | ❌ | |
on.fork | GitHub specific event trigger | ❌ | |
on.gollum | GitHub specific event trigger | ❌ | |
on.image_version | GitHub specific event trigger | ❌ | |
on.issue_comment | GitHub specific event trigger | ❌ | |
on.issues | GitHub specific event trigger | ❌ | |
on.label | GitHub specific event trigger | ❌ | |
on.merge_group | GitHub specific event trigger | ❌ | |
on.milestone | GitHub specific event trigger | ❌ | |
on.page_build | GitHub specific event trigger | ❌ | |
on.public | GitHub specific event trigger | ❌ | |
on.pull_request_comment | GitHub specific event trigger | ❌ | |
on.pull_request_review | GitHub specific event trigger | ❌ | |
on.pull_request_review_comment | GitHub specific event trigger | ❌ | |
on.registry_package | GitHub specific event trigger | ❌ | |
on.release | GitHub specific event trigger | ❌ | |
on.repository_dispatch | GitHub specific event trigger | ❌ | |
on.status | GitHub specific event trigger | ❌ | |
on.watch | GitHub specific event trigger | ❌ |
jobs.<job_id>.*)Job level syntax and keys that are supported.
| Field | Purpose | Supported | Notes |
|---|---|---|---|
jobs.<job_id> | Job definition | ✅ | |
jobs.<job_id>.name | Job display name | ✅ | |
jobs.<job_id>.needs | Job dependencies / DAG | ✅ | |
jobs.<job_id>.if | Conditional job execution | ✅ | |
jobs.<job_id>.runs-on | Runner selection | ❌ | We respect Depot runner labels and treat non-Depot labels as depot-ubuntu-latest. |
jobs.<job_id>.permissions | Job-scoped permissions | ❌ | |
jobs.<job_id>.environment | Deployment environments | ❌ | |
jobs.<job_id>.concurrency | Job-level concurrency | 🔨 | In progress |
jobs.<job_id>.outputs | Job outputs / cross-job data | ✅ | |
jobs.<job_id>.env | Job environment variables | ✅ | |
jobs.<job_id>.defaults | Job default settings | ✅ | |
jobs.<job_id>.timeout-minutes | Job timeout | ✅ | |
jobs.<job_id>.strategy | Matrix strategy | ✅ | |
jobs.<job_id>.[strategy.fail] | Matrix fail-fast | ✅ | |
jobs.<job_id>.strategy.max-parallel | Matrix parallel limit | ✅ | |
jobs.<job_id>.continue-on-error | Allow job failure | ✅ | |
jobs.<job_id>.container | Job container | ✅ | |
jobs.<job_id>.services | Service containers | ✅ | |
jobs.<job_id>.uses | Reusable workflow call | ✅ | |
jobs.<job_id>.with | Reusable workflow inputs | ✅ | |
jobs.<job_id>.secrets | Reusable workflow secrets | ✅ | |
jobs.<job_id>.secrets.inherit | Inherit all secrets | ✅ | |
jobs.<job_id>.steps | Step definitions | ✅ | |
jobs.<job_id>.snapshot | Custom runner images (larger runners) | ❌ | Custom implementation planned. |
| Field | Purpose | Supported | Notes |
|---|---|---|---|
steps[*].id | Step identifier | ✅ | |
steps[*].name | Step display name | ✅ | |
steps[*].if | Conditional step execution | ✅ | |
steps[*].uses | Action reference | ✅ | |
steps[*].run | Shell command execution | ✅ | |
steps[*].shell | Shell type (bash, pwsh, python) | ✅ | |
steps[*].with | Action inputs | ✅ | |
steps[*].env | Step environment variables | ✅ | |
steps[*].working-directory | Step working directory | ✅ | |
steps[*].continue-on-error | Allow step failure | ✅ | |
steps[*].timeout-minutes | Step timeout | ✅ |
Expression contexts that are supported today.
| Context | Purpose | Supported | Notes |
|---|---|---|---|
github | Event payload, repo, actor | ✅ | |
env | Environment variables | ✅ | |
vars | Repository/org variables | ✅ | |
secrets | Secret values | ✅ | |
needs | Dependent job outputs | ✅ | |
strategy | Matrix strategy info | ✅ | |
matrix | Current matrix values | ✅ | |
steps | Prior step outputs | ✅ | |
job | Current job info | ✅ | |
runner | Runner info | ✅ | |
inputs | Workflow inputs | ✅ |
Expression functions that are supported today.
| Function | Purpose | Supported | Notes |
|---|---|---|---|
always() | Run regardless of status | ✅ | |
success() | Run if no failures | ✅ | |
failure() | Run if any failure | ✅ | |
cancelled() | Run if cancelled | ✅ | |
hashFiles() | File hashing for caching | 🔨 | |
contains() | String/array contains | ✅ | |
startsWith() | String prefix check | ✅ | |
endsWith() | String suffix check | ✅ | |
format() | String formatting | ✅ | |
join() | Array to string | ✅ | |
toJSON() | Object to JSON | ✅ | |
fromJSON() | JSON to object | ✅ |
| Type | Description | Supported | Notes |
|---|---|---|---|
| JavaScript | Node 12/16/20/24 actions | ✅ | |
| Composite | Composite actions | ✅ | |
| Docker | Container actions | ✅ |
This section describes features that are not supported today with Depot CI.
We don't support reusing workflows from other repositories using the uses key. You can still use the uses key to reference actions from the Marketplace, for example uses: action/checkout@v1.
GitHub allows pull_request workflows to run when triggered from forked repositories. We don't support this today but plan to support it.
GitHub allows pull_request_target workflows to run when triggered from forked repositories. We don't support this today but plan to support it.
We'll have our own implementation for snapshotting and using snapshots.
We currently support a subset of events that trigger workflows: push, pull_request, pull_request_target, schedule, workflow_call, workflow_dispatch, workflow_run.
We currently support only the Depot runs-on labels. We treat any labels we can't decipher as depot-ubuntu-latest.
Not supported in the beta yet.
Not supported in the beta yet. We're currently adding this functionality.
Today we support and respect the following permissions: actions, checks, contents, metadata, pull_requests, statuses, workflows. Notably, id-token requires OIDC and isn't supported yet.
Today, secrets and variables are not hierarchical. They are scoped only to your Depot organization, which means you can't set different values for the same secret across different repositories.
The depot ci migrate command automates migrating to Depot CI. To get started with Depot CI, see Get started.
depot ci migrateThe command does the following:
.github/workflows/..depot/ directory and copies selected workflows (and any local actions from .github/actions/) there.migrate flags| Flag | Description |
|---|---|
--yes | Run in non-interactive mode, migrating all discovered workflows automatically |
--secret KEY=VALUE | Pre-supply a secret value; can be repeated for multiple secrets |
--var KEY=VALUE | Pre-supply a variable value; can be repeated for multiple variables |
--overwrite | Overwrite an existing .depot/ directory without prompting |
--org <id> | Specify a Depot organization ID (required if you belong to more than one organization) |
--token <token> | Depot API token |
Use --yes to run the migration without any prompts. Combine it with --secret and --var flags to supply secret and variable values. For example:
depot ci migrate --yes \
--secret NPM_TOKEN=npm_abc123 \
--secret DATABASE_URL=postgres://... \
--var SERVICE_NAME=api \
--org my-org-idIf a workflow references a secret or variable that you haven't supplied via the --secret or --var flags, the migration completes with a warning. You can add missing secrets and variables later with the depot ci secrets add or depot ci vars add commands, or via the API.
Before copying any files, the wizard analyzes each workflow for features that Depot CI doesn't yet support.
The wizard shows a summary of issues for each workflow:
For a full list of compatible syntax, triggers, and configuration, see Compatibility with GitHub Actions.
The migration copies the following into your .depot/ directory:
| Source | Destination |
|---|---|
.github/workflows/<selected>.yml | .depot/workflows/<selected>.yml |
.github/actions/ | .depot/actions/ |
Use the depot ci secrets commands to add, list, and remove secrets for your Depot CI workflows from the command line, as an alternative to the API.
depot ci secrets add SECRET_NAMEIf you omit --value, the CLI prompts you to enter the value securely (input is hidden).
| Flag | Description |
|---|---|
--value <value> | Secret value |
--description <text> | Human-readable description of the secret |
--org <id> | Organization ID |
--token <token> | Depot API token |
depot ci secrets listDisplays names and metadata (no values) for all secrets configured for your organization.
| Flag | Description |
|---|---|
--output json | Output as JSON instead of a table |
--org <id> | Organization ID |
--token <token> | Depot API token |
depot ci secrets remove SECRET_NAMEPrompts for confirmation before deleting. Use --force to skip the prompt.
| Flag | Description |
|---|---|
--force | Skip confirmation prompt |
--org <id> | Organization ID |
--token <token> | Depot API token |
Variables are non-secret configuration values available in workflows as ${{ vars.VARIABLE_NAME }}. Unlike secrets, variable values can be read back through the API or CLI.
The depot ci vars commands mirror the secrets commands.
depot ci vars add VAR_NAME --value "some-value"If you omit --value, the CLI prompts you to enter the value.
| Flag | Description |
|---|---|
--value <value> | Variable value |
--org <id> | Organization ID |
--token <token> | Depot API token |
depot ci vars list| Flag | Description |
|---|---|
--output json | Output as JSON instead of a table |
--org <id> | Organization ID |
--token <token> | Depot API token |
depot ci vars remove VAR_NAME| Flag | Description |
|---|---|
--force | Skip confirmation prompt |
--org <id> | Organization ID |
--token <token> | Depot API token |
The depot ci run command submits a local workflow YAML file to the Depot CI API and starts a run. If you have uncommitted changes relative to the default branch, the CLI automatically detects them, uploads a patch to Depot Cache, and injects a step into each selected job to apply the patch after checkout. The run reflects your local working state without requiring a push.
From the root of your repository, run:
depot ci run --workflow .depot/workflows/ci.ymlThe command does the following:
actions/checkout in each selected job.run flags| Flag | Description |
|---|---|
--workflow <path> | Path to the workflow YAML file (required) |
--job <name> | Job name to run; can be repeated to select multiple jobs. Omit to run all jobs. |
--ssh-after-step <n> | Insert an SSH debug session (via tmate) after the nth step (1-based). Requires exactly one --job. |
--token <token> | Depot API token |
Pass --job one or more times to run a subset of the jobs defined in the workflow:
depot ci run --workflow .depot/workflows/ci.yml --job build --job testJobs not listed are excluded from the submitted workflow. If a requested job name does not exist in the workflow, the command exits with an error listing the available jobs.
Use --ssh-after-step to insert a tmate debug session after a specific step in a single job. This lets you SSH into the runner at that point in the workflow to inspect state interactively.
depot ci run --workflow .depot/workflows/ci.yml --job build --ssh-after-step 3--ssh-after-step requires exactly one --job to be specified.
The depot ci status command looks up the status of a Depot CI run and displays its workflows, jobs, and individual job attempts in a hierarchical view.
depot ci status <run-id>Replace <run-id> with the run ID returned by depot ci run or visible in the Depot dashboard. The command prints:
| Flag | Description |
|---|---|
--token <token> | Depot API token |
The depot ci logs command fetches and prints the log output for a specific CI job attempt.
depot ci logs <attempt-id>Replace <attempt-id> with the attempt ID shown in the output of depot ci status. The command fetches all log lines for that attempt to stdout.
| Flag | Description |
|---|---|
--token <token> | Depot API token |
migrate commandIf you aren't using the depot ci migrate command to get started with Depot CI, you can copy workflows and configure secrets manually.
In your repository, create a new directory called .depot. Copy your workflows manually by duplicating your .github/workflows/ files into .depot/workflows/ and any .github/actions/ files into .depot/actions/.
Note: Your workflows will run simultaneously in GitHub and Depot. Be mindful of workflows that cause changes in external systems, for example that trigger a deploy or update an important artifact, because they will execute twice.
If your workflows use secrets (like ${{ secrets.NPM_TOKEN }}), and you're not using depot ci migrate, then you'll need to configure secrets in Depot CI using the API or the depot ci secrets command.
You need an organization token (DEPOT_TOKEN) to authenticate.
To add a secret:
curl -X POST https://api.depot.dev/depot.ci.v1.SecretService/AddSecret \
-H "Authorization: Bearer ${DEPOT_TOKEN}" \
-H "Content-Type: application/json" \
-d '{
"name": "NPM_TOKEN",
"value": "npm_abc123..."
}'To add multiple secrets:
curl -X POST https://api.depot.dev/depot.ci.v1.SecretService/BatchAddSecrets \
-H "Authorization: Bearer ${DEPOT_TOKEN}" \
-H "Content-Type: application/json" \
-d '{
"secrets": [
{"name": "NPM_TOKEN", "value": "npm_abc123..."},
{"name": "DATABASE_PASSWORD", "value": "super-secret"}
]
}'Your workflows can access secrets, but you can't read them via the API.
To add variables, for non-secret configuration, use the VariableService API (similar to SecretService) or the depot ci vars command. Variables are available via ${{ vars.VARIABLE_NAME }} and can be read back through the API or CLI, unlike secrets.