Reference for all depot ci commands. To install the Depot CLI, see Installation.
Other Depot product CLI references:
depot ci migrateMigrates GitHub Actions workflows to Depot CI. The command runs two phases: it validates your environment with a preflight check, then copies and transforms your selected workflows into .depot/workflows/.
depot ci migrateAfter migration, the command reports any secrets and variables referenced by the migrated workflows and directs you to depot ci migrate secrets-and-vars for importing them.
Each phase is also available as a standalone subcommand:
depot ci migrate preflight — validate authentication and GitHub app accessdepot ci migrate workflows — copy and transform workflowsdepot ci migrate secrets-and-vars — import GitHub secrets and variables into Depot CI| Flag | Description |
|---|---|
--yes | Run in non-interactive mode, migrating all discovered workflows automatically |
--overwrite | Overwrite an existing .depot/ directory without prompting |
--org <id> | Specify a Depot organization ID (required if you belong to more than one organization) |
--token <token> | Depot API token |
depot ci migrate preflightValidates that you are authenticated, detects the GitHub repository from your git remote, and checks that the Depot Code Access GitHub App is installed with the correct permissions and repository access.
depot ci migrate preflightIf the app is not installed or needs updated permissions, the command prints a link to configure it.
| Flag | Description |
|---|---|
--org <id> | Specify a Depot organization ID (required if you belong to more than one organization) |
--token <token> | Depot API token |
depot ci migrate workflowsCopies workflows from .github/workflows/ into .depot/workflows/, applying Depot CI compatibility transformations and inline comments documenting any changes.
depot ci migrate workflows.github/workflows/..depot/workflows/ and any local actions from .github/actions/ to .depot/actions/.ubuntu-latest to depot-ubuntu-latest).| Source | Destination |
|---|---|
.github/workflows/<selected>.yml | .depot/workflows/<selected>.yml |
.github/actions/ | .depot/actions/ |
| Flag | Description |
|---|---|
--yes | Run in non-interactive mode, migrating all discovered workflows automatically |
--overwrite | Overwrite an existing .depot/ directory without prompting |
--org <id> | Specify a Depot organization ID (required if you belong to more than one organization) |
--token <token> | Depot API token |
The command applies three kinds of changes to migrated workflows, documented with inline comments:
runs-on labels are remapped from GitHub runner labels (like ubuntu-latest) to their Depot equivalents.release or schedule) are removed from the on: block with a comment explaining why.DISABLED comment noting the reason.Each migrated file includes a header comment listing the source workflow and a summary of all changes made. For the full compatibility matrix, see Compatibility with GitHub Actions.
depot ci migrate secrets-and-varsCreates a one-shot GitHub Actions workflow that reads secrets and variables from your GitHub repository and imports them into Depot CI.
depot ci migrate secrets-and-varsThe command pushes a temporary branch to your GitHub repository containing a workflow that runs on GitHub Actions. The workflow reads your existing GitHub secrets and variables and imports them into Depot CI using the Depot CLI.
In interactive mode, you can preview the generated workflow before it is created. After the workflow is triggered, the command prints a URL where you can monitor the import.
| Flag | Description |
|---|---|
--yes | Skip preview and confirmation prompts |
--org <id> | Specify a Depot organization ID (required if you belong to more than one organization) |
--token <token> | Depot API token |
depot ci runSubmits a workflow to Depot CI and starts a run against your local working tree, without requiring a push to GitHub first. It's the fastest way to test a workflow against changes you're actively working on.
depot ci run --workflow .depot/workflows/ci.ymlIf you have uncommitted changes relative to the default branch, the CLI automatically detects them, uploads a patch to Depot Cache, and injects a patch-application step after actions/checkout in each selected job.
| Flag | Description |
|---|---|
--workflow <path> | Path to the workflow YAML file (required) |
--job <name> | Job name to run; can be repeated to select multiple jobs. Omit to run all jobs. |
--ssh | Start the run and connect to the job's sandbox via interactive terminal. Requires exactly one --job. |
--ssh-after-step <n> | Insert an SSH debug session (via tmate) after the nth step (1-based). Requires exactly one --job. |
--org <id> | Organization ID (required when user is a member of multiple organizations) |
--token <token> | Depot API token |
Pass --job one or more times to run a subset of jobs defined in the workflow:
depot ci run --workflow .depot/workflows/ci.yml --job build --job testJobs not listed are excluded from the submitted workflow. If a requested job name does not exist in the workflow, the command exits with an error listing the available jobs.
Use --ssh to start the run and immediately connect to the job's sandbox via an interactive terminal:
depot ci run --workflow .depot/workflows/ci.yml --job build --sshUse --ssh-after-step to insert a tmate debug session after a specific step in a single job. This lets you SSH into the runner at that point in the workflow to inspect state interactively.
depot ci run --workflow .depot/workflows/ci.yml --job build --ssh-after-step 3Both --ssh and --ssh-after-step require exactly one --job to be specified.
depot ci run listLists CI runs for your organization. By default returns the 50 most recent queued and running runs.
depot ci run listAlias: depot ci run ls.
| Flag | Description |
|---|---|
--status <status> | Filter by status; can be repeated. Values: queued, running, finished, failed, cancelled |
-n <number> | Number of runs to return (default: 50) |
--output json | Output as JSON instead of a table |
--org <id> | Organization ID (required when user is a member of multiple organizations) |
--token <token> | Depot API token |
# List failed runs
depot ci run list --status failed
# List finished and failed runs
depot ci run list --status finished --status failed
# List the 5 most recent runs
depot ci run list -n 5depot ci statusLooks up the status of a Depot CI run and displays its workflows, jobs, and individual job attempts in a hierarchical view.
depot ci status <run-id>Replace <run-id> with the run ID returned by depot ci run or visible in the Depot dashboard. The command prints:
| Flag | Description |
|---|---|
--org <id> | Organization ID (required when user is a member of multiple organizations) |
--token <token> | Depot API token |
depot ci logsFetches and prints the log output for a CI job. Accepts a run ID, job ID, or attempt ID. When given a run or job ID, the command resolves to the latest attempt automatically. Use --job and --workflow to disambiguate when a run has multiple jobs.
depot ci logs <run-id | job-id | attempt-id>| Flag | Description |
|---|---|
--job <key> | Job key to select (required when the run has multiple jobs) |
--workflow <path> | Workflow path to filter jobs (for example, ci.yml) |
--org <id> | Organization ID (required when user is a member of multiple organizations) |
--token <token> | Depot API token |
# Fetch logs by attempt ID
depot ci logs <attempt-id>
# Fetch logs for the latest attempt of a run (single-job workflow)
depot ci logs <run-id>
# Fetch logs for a specific job in a run
depot ci logs <run-id> --job test
# Disambiguate with workflow path when job names overlap across workflows
depot ci logs <run-id> --job build --workflow ci.ymldepot ci sshOpens an interactive terminal session to the sandbox running a CI job. Accepts a run ID or job ID. If the job hasn't started yet, the command waits for the sandbox to be provisioned.
depot ci ssh <run-id | job-id>| Flag | Description |
|---|---|
--job <key> | Job key to connect to (required when the run has multiple jobs) |
--info | Print SSH connection details instead of connecting interactively |
--output json | Output SSH connection details as JSON (use with --info) |
--org <id> | Organization ID (required when user is a member of multiple organizations) |
--token <token> | Depot API token |
# Connect to a job by job ID
depot ci ssh <job-id>
# Connect to a specific job in a run
depot ci ssh <run-id> --job build
# Print SSH connection details without connecting
depot ci ssh <run-id> --info
# Print SSH connection details as JSON
depot ci ssh <run-id> --info --output jsondepot ci secretsManages secrets for your Depot CI workflows. Secrets are scoped to your Depot organization, encrypted at rest, and never readable after creation. Reference them in workflows as ${{ secrets.SECRET_NAME }}.
depot ci secrets adddepot ci secrets add SECRET_NAMEIf you omit --value, the CLI prompts you to enter the value securely (input is hidden).
| Flag | Description |
|---|---|
--value <value> | Secret value |
--description <text> | Human-readable description of the secret |
--repo <owner/repo> | Scope the secret to a specific repository; without this flag, the secret is org-wide |
--org <id> | Organization ID |
--token <token> | Depot API token |
depot ci secrets listdepot ci secrets listDisplays names and metadata (no values) for all secrets configured for your organization. Use --repo to also show repo-specific secrets that override org-wide values.
| Flag | Description |
|---|---|
--repo <owner/repo> | Also show repo-specific secrets for this repository |
--output json | Output as JSON instead of a table |
--org <id> | Organization ID |
--token <token> | Depot API token |
depot ci secrets removedepot ci secrets remove SECRET_NAME [SECRET_NAME...]Alias: depot ci secrets rm. Accepts one or more secret names. Prompts for confirmation before deleting.
# Remove a single secret
depot ci secrets remove MY_API_KEY
# Remove a repo-specific secret
depot ci secrets remove MY_API_KEY --repo owner/repo
# Remove multiple secrets at once
depot ci secrets remove GITHUB_TOKEN MY_API_KEY DATABASE_URL
# Remove without confirmation
depot ci secrets remove GITHUB_TOKEN MY_API_KEY --force| Flag | Description |
|---|---|
--repo <owner/repo> | Remove a repo-specific secret instead of the org-wide secret |
--force | Skip confirmation prompt |
--org <id> | Organization ID |
--token <token> | Depot API token |
depot ci varsManages variables for your Depot CI workflows. Variables are non-secret configuration values, available in workflows as ${{ vars.VARIABLE_NAME }}. Unlike secrets, variable values can be read back through the CLI or API.
depot ci vars adddepot ci vars add VAR_NAME --value "some-value"If you omit --value, the CLI prompts you to enter the value.
| Flag | Description |
|---|---|
--value <value> | Variable value |
--repo <owner/repo> | Scope the variable to a specific repository; without this flag, the variable is org-wide |
--org <id> | Organization ID |
--token <token> | Depot API token |
depot ci vars listdepot ci vars listUse --repo to also show repo-specific variables that override org-wide values.
| Flag | Description |
|---|---|
--repo <owner/repo> | Also show repo-specific variables for this repository |
--output json | Output as JSON instead of a table |
--org <id> | Organization ID |
--token <token> | Depot API token |
depot ci vars removedepot ci vars remove VAR_NAME [VAR_NAME...]Alias: depot ci vars rm. Accepts one or more variable names. Prompts for confirmation before deleting.
# Remove a single variable
depot ci vars remove GITHUB_REPO
# Remove a repo-specific variable
depot ci vars remove GITHUB_REPO --repo owner/repo
# Remove multiple variables at once
depot ci vars remove GITHUB_REPO MY_SERVICE_NAME DEPLOY_ENV
# Remove without confirmation
depot ci vars remove GITHUB_REPO MY_SERVICE_NAME --force| Flag | Description |
|---|---|
--repo <owner/repo> | Remove a repo-specific variable instead of the org-wide variable |
--force | Skip confirmation prompt |
--org <id> | Organization ID |
--token <token> | Depot API token |