Workflow syntax for GitHub Actions

About YAML syntax for workflows

Workflow files use YAML syntax, and must have either a.ymlor.yamlfile extension. If you're new to YAML and want to learn more, see "Learn YAML in Y minutes."

You must store workflow files in the.github/workflowsdirectory of your repository.

name

The name of the workflow. GitHub displays the names of your workflows under your repository's "Actions" tab. If you omitname,GitHub displays the workflow file path relative to the root of the repository.

run-name

The name for workflow runs generated from the workflow. GitHub displays the workflow run name in the list of workflow runs on your repository's "Actions" tab. Ifrun-nameis omitted or is only whitespace, then the run name is set to event-specific information for the workflow run. For example, for a workflow triggered by apushorpull_requestevent, it is set as the commit message or the title of the pull request.

This value can include expressions and can reference thegithubandinputscontexts.

Example ofrun-name

run-name:Deployto${{inputs.deploy_target}}by@${{github.actor}}

on

To automatically trigger a workflow, useonto define which events can cause the workflow to run. For a list of available events, see "Events that trigger workflows."

You can define single or multiple events that can trigger a workflow, or set a time schedule. You can also restrict the execution of a workflow to only occur for specific files, tags, or branch changes. These options are described in the following sections.

Using a single event

For example, a workflow with the followingonvalue will run when a push is made to any branch in the workflow's repository:

on:push

Using multiple events

You can specify a single event or multiple events. For example, a workflow with the followingonvalue will run when a push is made to any branch in the repository or when someone forks the repository:

on:[push,fork]

If you specify multiple events, only one of those events needs to occur to trigger your workflow. If multiple triggering events for your workflow occur at the same time, multiple workflow runs will be triggered.

Using activity types

Some events have activity types that give you more control over when your workflow should run. Useon.<event_name>.typesto define the type of event activity that will trigger a workflow run.

For example, theissue_commentevent has thecreated,edited,anddeletedactivity types. If your workflow triggers on thelabelevent, it will run whenever a label is created, edited, or deleted. If you specify thecreatedactivity type for thelabelevent, your workflow will run when a label is created but not when a label is edited or deleted.

on:
label:
types:
-created

If you specify multiple activity types, only one of those event activity types needs to occur to trigger your workflow. If multiple triggering event activity types for your workflow occur at the same time, multiple workflow runs will be triggered. For example, the following workflow triggers when an issue is opened or labeled. If an issue with two labels is opened, three workflow runs will start: one for the issue opened event and two for the two issue labeled events.

on:
issues:
types:
-opened
-labeled

For more information about each event and their activity types, see "Events that trigger workflows."

Using filters

Some events have filters that give you more control over when your workflow should run.

For example, thepushevent has abranchesfilter that causes your workflow to run only when a push to a branch that matches thebranchesfilter occurs, instead of when any push occurs.

on:
push:
branches:
-main
-'releases/**'

Using activity types and filters with multiple events

If you specify activity types or filters for an event and your workflow triggers on multiple events, you must configure each event separately. You must append a colon (:) to all events, including events without configuration.

For example, a workflow with the followingonvalue will run when:

• A label is created
• A push is made to themainbranch in the repository
• A push is made to a GitHub Pages-enabled branch

on:
label:
types:
-created
push:
branches:
-main
page_build:

on.<event_name>.types

Useon.<event_name>.typesto define the type of activity that will trigger a workflow run. Most GitHub events are triggered by more than one type of activity. For example, thelabelis triggered when a label iscreated,edited,ordeleted.Thetypeskeyword enables you to narrow down activity that causes the workflow to run. When only one activity type triggers a webhook event, thetypeskeyword is unnecessary.

You can use an array of eventtypes.For more information about each event and their activity types, see "Events that trigger workflows."

on:
label:
types:[created,edited]

on.<pull_request|pull_request_target>.<branches|branches-ignore>

When using thepull_requestandpull_request_targetevents, you can configure a workflow to run only for pull requests that target specific branches.

Use thebranchesfilter when you want to include branch name patterns or when you want to both include and exclude branch names patterns. Use thebranches-ignorefilter when you only want to exclude branch name patterns. You cannot use both thebranchesandbranches-ignorefilters for the same event in a workflow.

If you define bothbranches/branches-ignoreandpaths/paths-ignore,the workflow will only run when both filters are satisfied.

Thebranchesandbranches-ignorekeywords accept glob patterns that use characters like*,**,+,?,!and others to match more than one branch name. If a name contains any of these characters and you want a literal match, you need to escape each of these special characters with\.For more information about glob patterns, see the "Workflow syntax for GitHub Actions."

Example: Including branches

The patterns defined inbranchesare evaluated against the Git ref's name. For example, the following workflow would run whenever there is apull_requestevent for a pull request targeting:

• A branch namedmain(refs/heads/main)
• A branch namedmona/octocat(refs/heads/mona/octocat)
• A branch whose name starts withreleases/,likereleases/10(refs/heads/releases/10)

on:
pull_request:
# Sequence of patterns matched against refs/heads
branches:
-main
-'mona/octocat'
-'releases/**'

If a workflow is skipped due to branch filtering,path filtering,or acommit message,then checks associated with that workflow will remain in a "Pending" state. A pull request that requires those checks to be successful will be blocked from merging.

Example: Excluding branches

When a pattern matches thebranches-ignorepattern, the workflow will not run. The patterns defined inbranches-ignoreare evaluated against the Git ref's name. For example, the following workflow would run whenever there is apull_requestevent unless the pull request is targeting:

• A branch namedmona/octocat(refs/heads/mona/octocat)
• A branch whose name matchesreleases/**- Alpha,likereleases/beta/3- Alpha(refs/heads/releases/beta/3- Alpha)

on:
pull_request:
# Sequence of patterns matched against refs/heads
branches-ignore:
-'mona/octocat'
-'releases/**- Alpha '

Example: Including and excluding branches

You cannot usebranchesandbranches-ignoreto filter the same event in a single workflow. If you want to both include and exclude branch patterns for a single event, use thebranchesfilter along with the!character to indicate which branches should be excluded.

If you define a branch with the!character, you must also define at least one branch without the!character. If you only want to exclude branches, usebranches-ignoreinstead.

The order that you define patterns matters.

• A matching negative pattern (prefixed with!) after a positive match will exclude the Git ref.
• A matching positive pattern after a negative match will include the Git ref again.

The following workflow will run onpull_requestevents for pull requests that targetreleases/10orreleases/beta/mona,but not for pull requests that targetreleases/10- Alphaorreleases/beta/3- Alphabecause the negative pattern!releases/**- Alphafollows the positive pattern.

on:
pull_request:
branches:
-'releases/**'
-'!releases/**- Alpha '

on.push.<branches|tags|branches-ignore|tags-ignore>

When using thepushevent, you can configure a workflow to run on specific branches or tags.

Use thebranchesfilter when you want to include branch name patterns or when you want to both include and exclude branch names patterns. Use thebranches-ignorefilter when you only want to exclude branch name patterns. You cannot use both thebranchesandbranches-ignorefilters for the same event in a workflow.

Use thetagsfilter when you want to include tag name patterns or when you want to both include and exclude tag names patterns. Use thetags-ignorefilter when you only want to exclude tag name patterns. You cannot use both thetagsandtags-ignorefilters for the same event in a workflow.

If you define onlytags/tags-ignoreor onlybranches/branches-ignore,the workflow won't run for events affecting the undefined Git ref. If you define neithertags/tags-ignoreorbranches/branches-ignore,the workflow will run for events affecting either branches or tags. If you define bothbranches/branches-ignoreandpaths/paths-ignore,the workflow will only run when both filters are satisfied.

Thebranches,branches-ignore,tags,andtags-ignorekeywords accept glob patterns that use characters like*,**,+,?,!and others to match more than one branch or tag name. If a name contains any of these characters and you want a literal match, you need toescapeeach of these special characters with\.For more information about glob patterns, see the "Workflow syntax for GitHub Actions."

Example: Including branches and tags

The patterns defined inbranchesandtagsare evaluated against the Git ref's name. For example, the following workflow would run whenever there is apushevent to:

• A branch namedmain(refs/heads/main)
• A branch namedmona/octocat(refs/heads/mona/octocat)
• A branch whose name starts withreleases/,likereleases/10(refs/heads/releases/10)
• A tag namedv2(refs/tags/v2)
• A tag whose name starts withv1.,likev1.9.1(refs/tags/v1.9.1)

on:
push:
# Sequence of patterns matched against refs/heads
branches:
-main
-'mona/octocat'
-'releases/**'
# Sequence of patterns matched against refs/tags
tags:
-v2
-v1.*

Example: Excluding branches and tags

When a pattern matches thebranches-ignoreortags-ignorepattern, the workflow will not run. The patterns defined inbranchesandtagsare evaluated against the Git ref's name. For example, the following workflow would run whenever there is apushevent, unless thepushevent is to:

• A branch namedmona/octocat(refs/heads/mona/octocat)
• A branch whose name matchesreleases/**- Alpha,likereleases/beta/3- Alpha(refs/heads/releases/beta/3- Alpha)
• A tag namedv2(refs/tags/v2)
• A tag whose name starts withv1.,likev1.9(refs/tags/v1.9)

on:
push:
# Sequence of patterns matched against refs/heads
branches-ignore:
-'mona/octocat'
-'releases/**- Alpha '
# Sequence of patterns matched against refs/tags
tags-ignore:
-v2
-v1.*

Example: Including and excluding branches and tags

You can't usebranchesandbranches-ignoreto filter the same event in a single workflow. Similarly, you can't usetagsandtags-ignoreto filter the same event in a single workflow. If you want to both include and exclude branch or tag patterns for a single event, use thebranchesortagsfilter along with the!character to indicate which branches or tags should be excluded.

If you define a branch with the!character, you must also define at least one branch without the!character. If you only want to exclude branches, usebranches-ignoreinstead. Similarly, if you define a tag with the!character, you must also define at least one tag without the!character. If you only want to exclude tags, usetags-ignoreinstead.

The order that you define patterns matters.

• A matching negative pattern (prefixed with!) after a positive match will exclude the Git ref.
• A matching positive pattern after a negative match will include the Git ref again.

The following workflow will run on pushes toreleases/10orreleases/beta/mona,but not onreleases/10- Alphaorreleases/beta/3- Alphabecause the negative pattern!releases/**- Alphafollows the positive pattern.

on:
push:
branches:
-'releases/**'
-'!releases/**- Alpha '

on.<push|pull_request|pull_request_target>.<paths|paths-ignore>

When using thepushandpull_requestevents, you can configure a workflow to run based on what file paths are changed. Path filters are not evaluated for pushes of tags.

Use thepathsfilter when you want to include file path patterns or when you want to both include and exclude file path patterns. Use thepaths-ignorefilter when you only want to exclude file path patterns. You cannot use both thepathsandpaths-ignorefilters for the same event in a workflow. If you want to both include and exclude path patterns for a single event, use thepathsfilter prefixed with the!character to indicate which paths should be excluded.

If you define bothbranches/branches-ignoreandpaths/paths-ignore,the workflow will only run when both filters are satisfied.

Thepathsandpaths-ignorekeywords accept glob patterns that use the*and**wildcard characters to match more than one path name. For more information, see the "Workflow syntax for GitHub Actions."

Example: Including paths

If at least one path matches a pattern in thepathsfilter, the workflow runs. For example, the following workflow would run anytime you push a JavaScript file (.js).

on:
push:
paths:
-'**.js'

If a workflow is skipped due to path filtering,branch filtering,or acommit message,then checks associated with that workflow will remain in a "Pending" state. A pull request that requires those checks to be successful will be blocked from merging.

Example: Excluding paths

When all the path names match patterns inpaths-ignore,the workflow will not run. If any path names do not match patterns inpaths-ignore,even if some path names match the patterns, the workflow will run.

A workflow with the following path filter will only run onpushevents that include at least one file outside thedocsdirectory at the root of the repository.

on:
push:
paths-ignore:
-'docs/**'

Example: Including and excluding paths

You cannot usepathsandpaths-ignoreto filter the same event in a single workflow. If you want to both include and exclude path patterns for a single event, use thepathsfilter prefixed with the!character to indicate which paths should be excluded.

If you define a path with the!character, you must also define at least one path without the!character. If you only want to exclude paths, usepaths-ignoreinstead.

The order that you definepathspatterns matters:

• A matching negative pattern (prefixed with!) after a positive match will exclude the path.
• A matching positive pattern after a negative match will include the path again.

This example runs anytime thepushevent includes a file in thesub-projectdirectory or its subdirectories, unless the file is in thesub-project/docsdirectory. For example, a push that changedsub-project/index.jsorsub-project/src/index.jswill trigger a workflow run, but a push changing onlysub-project/docs/readme.mdwill not.

on:
push:
paths:
-'sub-project/**'
-'!sub-project/docs/**'

Git diff comparisons

The filter determines if a workflow should run by evaluating the changed files and running them against thepaths-ignoreorpathslist. If there are no files changed, the workflow will not run.

GitHub generates the list of changed files using two-dot diffs for pushes and three-dot diffs for pull requests:

• Pull requests:Three-dot diffs are a comparison between the most recent version of the topic branch and the commit where the topic branch was last synced with the base branch.
• Pushes to existing branches:A two-dot diff compares the head and base SHAs directly with each other.
• Pushes to new branches:A two-dot diff against the parent of the ancestor of the deepest commit pushed.

Diffs are limited to 300 files. If there are files changed that aren't matched in the first 300 files returned by the filter, the workflow will not run. You may need to create more specific filters so that the workflow will run automatically.

For more information, see "About comparing branches in pull requests."

on.schedule

You can useon.scheduleto define a time schedule for your workflows. You can schedule a workflow to run at specific UTC times usingPOSIX cron syntax.Scheduled workflows run on the latest commit on the default or base branch. The shortest interval you can run scheduled workflows is once every 5 minutes.

This example triggers the workflow every day at 5:30 and 17:30 UTC:

on:
schedule:
# * is a special character in YAML so you have to quote this string
-cron:'30 5,17 * * *'

A single workflow can be triggered by multiplescheduleevents. You can access the schedule event that triggered the workflow through thegithub.event.schedulecontext. This example triggers the workflow to run at 5:30 UTC every Monday-Thursday, but skips theNot on Monday or Wednesdaystep on Monday and Wednesday.

on:
schedule:
-cron:'30 5 * * 1,3'
-cron:'30 5 * * 2,4'

jobs:
test_schedule:
runs-on:ubuntu-latest
steps:
-name:NotonMondayorWednesday
if:github.event.schedule!='30 5 * * 1,3'
run:echo"This step will be skipped on Monday and Wednesday"
-name:Everytime
run:echo"This step will always run"

For more information about cron syntax, see "Events that trigger workflows."

on.workflow_call

Useon.workflow_callto define the inputs and outputs for a reusable workflow. You can also map the secrets that are available to the called workflow. For more information on reusable workflows, see "Reusing workflows."

on.workflow_call.inputs

When using theworkflow_callkeyword, you can optionally specify inputs that are passed to the called workflow from the caller workflow. For more information about theworkflow_callkeyword, see "Events that trigger workflows."

In addition to the standard input parameters that are available,on.workflow_call.inputsrequires atypeparameter. For more information, seeon.workflow_call.inputs.<input_id>.type.

If adefaultparameter is not set, the default value of the input isfalsefor a boolean,0for a number, and""for a string.

Within the called workflow, you can use theinputscontext to refer to an input. For more information, see "Accessing contextual information about workflow runs."

If a caller workflow passes an input that is not specified in the called workflow, this results in an error.

Example ofon.workflow_call.inputs

on:
workflow_call:
inputs:
username:
description:'A username passed from the caller workflow'
default:'john-doe'
required:false
type:string

jobs:
print-username:
runs-on:ubuntu-latest

steps:
-name:PrinttheinputnametoSTDOUT
run:echoTheusernameis${{inputs.username}}

For more information, see "Reusing workflows."

on.workflow_call.inputs.<input_id>.type

Required if input is defined for theon.workflow_callkeyword. The value of this parameter is a string specifying the data type of the input. This must be one of:boolean,number,orstring.

on.workflow_call.outputs

A map of outputs for a called workflow. Called workflow outputs are available to all downstream jobs in the caller workflow. Each output has an identifier, an optionaldescription,and avalue.Thevaluemust be set to the value of an output from a job within the called workflow.

In the example below, two outputs are defined for this reusable workflow:workflow_output1andworkflow_output2.These are mapped to outputs calledjob_output1andjob_output2,both from a job calledmy_job.

Example ofon.workflow_call.outputs

on:
workflow_call:
# Map the workflow outputs to job outputs
outputs:
workflow_output1:
description:"The first job output"
value:${{jobs.my_job.outputs.job_output1}}
workflow_output2:
description:"The second job output"
value:${{jobs.my_job.outputs.job_output2}}

For information on how to reference a job output, seejobs.<job_id>.outputs.For more information, see "Reusing workflows."

on.workflow_call.secrets

A map of the secrets that can be used in the called workflow.

Within the called workflow, you can use thesecretscontext to refer to a secret.

If a caller workflow passes a secret that is not specified in the called workflow, this results in an error.

Example ofon.workflow_call.secrets

on:
workflow_call:
secrets:
access-token:
description:'A token passed from the caller workflow'
required:false

jobs:

pass-secret-to-action:
runs-on:ubuntu-latest
steps:
# passing the secret to an action
-name:Passthereceivedsecrettoanaction
uses:./.github/actions/my-action
with:
token:${{secrets.access-token}}

# passing the secret to a nested reusable workflow
pass-secret-to-workflow:
uses:./.github/workflows/my-workflow
secrets:
token:${{secrets.access-token}}

on.workflow_call.secrets.<secret_id>

A string identifier to associate with the secret.

on.workflow_call.secrets.<secret_id>.required

A boolean specifying whether the secret must be supplied.

on.workflow_run.<branches|branches-ignore>

When using theworkflow_runevent, you can specify what branches the triggering workflow must run on in order to trigger your workflow.

Thebranchesandbranches-ignorefilters accept glob patterns that use characters like*,**,+,?,!and others to match more than one branch name. If a name contains any of these characters and you want a literal match, you need toescapeeach of these special characters with\.For more information about glob patterns, see the "Workflow syntax for GitHub Actions."

For example, a workflow with the following trigger will only run when the workflow namedBuildruns on a branch whose name starts withreleases/:

on:
workflow_run:
workflows:["Build"]
types:[requested]
branches:
-'releases/**'

A workflow with the following trigger will only run when the workflow namedBuildruns on a branch that is not namedcanary:

on:
workflow_run:
workflows:["Build"]
types:[requested]
branches-ignore:
-"canary"

You cannot use both thebranchesandbranches-ignorefilters for the same event in a workflow. If you want to both include and exclude branch patterns for a single event, use thebranchesfilter along with the!character to indicate which branches should be excluded.

The order that you define patterns matters.

• A matching negative pattern (prefixed with!) after a positive match will exclude the branch.
• A matching positive pattern after a negative match will include the branch again.

For example, a workflow with the following trigger will run when the workflow namedBuildruns on a branch that is namedreleases/10orreleases/beta/monabut will notreleases/10- Alpha,releases/beta/3- Alpha,ormain.

on:
workflow_run:
workflows:["Build"]
types:[requested]
branches:
-'releases/**'
-'!releases/**- Alpha '

on.workflow_dispatch

When using theworkflow_dispatchevent, you can optionally specify inputs that are passed to the workflow.

This trigger only receives events when the workflow file is on the default branch.

on.workflow_dispatch.inputs

The triggered workflow receives the inputs in theinputscontext. For more information, see "Contexts."

Example ofon.workflow_dispatch.inputs

on:
workflow_dispatch:
inputs:
logLevel:
description:'Log level'
required:true
default:'warning'
type:choice
options:
-info
-warning
-debug
print_tags:
description:'True to print to STDOUT'
required:true
type:boolean
tags:
description:'Test scenario tags'
required:true
type:string
environment:
description:'Environment to run tests against'
type:environment
required:true

jobs:
print-tag:
runs-on:ubuntu-latest
if:${{inputs.print_tags}}
steps:
-name:PrinttheinputtagtoSTDOUT
run:echoThetagsare${{inputs.tags}}

on.workflow_dispatch.inputs.<input_id>.required

A boolean specifying whether the input must be supplied.

on.workflow_dispatch.inputs.<input_id>.type

The value of this parameter is a string specifying the data type of the input. This must be one of:boolean,choice,number,environmentorstring.

permissions

You can usepermissionsto modify the default permissions granted to theGITHUB_TOKEN,adding or removing access as required, so that you only allow the minimum required access. For more information, see "Automatic token authentication."

You can usepermissionseither as a top-level key, to apply to all jobs in the workflow, or within specific jobs. When you add thepermissionskey within a specific job, all actions and run commands within that job that use theGITHUB_TOKENgain the access rights you specify. For more information, seejobs.<job_id>.permissions.

For each of the available permissions, shown in the table below, you can assign one of the access levels:read(if applicable),write,ornone.writeincludesread.If you specify the access for any of these permissions, all of those that are not specified are set tonone.

Available permissions and details of what each allows an action to do:

Defining access for theGITHUB_TOKENscopes

You can define the access that theGITHUB_TOKENwill permit by specifyingread,write,ornoneas the value of the available permissions within thepermissionskey.

permissions:
actions:read|write|none
attestations:read|write|none
checks:read|write|none
contents:read|write|none
deployments:read|write|none
id-token:write|none
issues:read|write|none
discussions:read|write|none
packages:read|write|none
pages:read|write|none
pull-requests:read|write|none
repository-projects:read|write|none
security-events:read|write|none
statuses:read|write|none

If you specify the access for any of these permissions, all of those that are not specified are set tonone.

You can use the following syntax to define one ofread-allorwrite-allaccess for all of the available permissions:

permissions:read-all

permissions:write-all

You can use the following syntax to disable permissions for all of the available permissions:

permissions:{}

Changing the permissions in a forked repository

You can use thepermissionskey to add and remove read permissions for forked repositories, but typically you can't grant write access. The exception to this behavior is where an admin user has selected theSend write tokens to workflows from pull requestsoption in the GitHub Actions settings. For more information, see "Managing GitHub Actions settings for a repository."

Setting theGITHUB_TOKENpermissions for all jobs in a workflow

You can specifypermissionsat the top level of a workflow, so that the setting applies to all jobs in the workflow.

Example: Setting theGITHUB_TOKENpermissions for an entire workflow

This example shows permissions being set for theGITHUB_TOKENthat will apply to all jobs in the workflow. All permissions are granted read access.

name:"My workflow"

on:[push]

permissions:read-all

jobs:
...

env

Amapof variables that are available to the steps of all jobs in the workflow. You can also set variables that are only available to the steps of a single job or to a single step. For more information, seejobs.<job_id>.envandjobs.<job_id>.steps[*].env.

Variables in theenvmap cannot be defined in terms of other variables in the map.

When more than one environment variable is defined with the same name, GitHub uses the most specific variable. For example, an environment variable defined in a step will override job and workflow environment variables with the same name, while the step executes. An environment variable defined for a job will override a workflow variable with the same name, while the job executes.

Example ofenv

env:
SERVER:production

defaults

Usedefaultsto create amapof default settings that will apply to all jobs in the workflow. You can also set default settings that are only available to a job. For more information, seejobs.<job_id>.defaults.

When more than one default setting is defined with the same name, GitHub uses the most specific default setting. For example, a default setting defined in a job will override a default setting that has the same name defined in a workflow.

defaults.run

You can usedefaults.runto provide defaultshellandworking-directoryoptions for allrunsteps in a workflow. You can also set default settings forrunthat are only available to a job. For more information, seejobs.<job_id>.defaults.run.You cannot use contexts or expressions in this keyword.

When more than one default setting is defined with the same name, GitHub uses the most specific default setting. For example, a default setting defined in a job will override a default setting that has the same name defined in a workflow.

Example: Set the default shell and working directory

defaults:
run:
shell:bash
working-directory:./scripts

defaults.run.shell

Useshellto define theshellfor a step. This keyword can reference several contexts. For more information, see "Contexts."

defaults.run.working-directory

Useworking-directoryto define the working directory for theshellfor a step. This keyword can reference several contexts. For more information, see "Contexts."

concurrency

Useconcurrencyto ensure that only a single job or workflow using the same concurrency group will run at a time. A concurrency group can be any string or expression. The expression can only usegithub,inputsandvarscontexts. For more information about expressions, see "Evaluate expressions in workflows and actions."

You can also specifyconcurrencyat the job level. For more information, seejobs.<job_id>.concurrency.

This means that there can be at most one running and one pending job in a concurrency group at any time. When a concurrent job or workflow is queued, if another job or workflow using the same concurrency group in the repository is in progress, the queued job or workflow will bepending.Any existingpendingjob or workflow in the same concurrency group, if it exists, will be canceled and the new queued job or workflow will take its place.

To also cancel any currently running job or workflow in the same concurrency group, specifycancel-in-progress: true.To conditionally cancel currently running jobs or workflows in the same concurrency group, you can specifycancel-in-progressas an expression with any of the allowed expression contexts.

Example: Using concurrency and the default behavior

The default behavior of GitHub Actions is to allow multiple jobs or workflow runs to run concurrently. Theconcurrencykeyword allows you to control the concurrency of workflow runs.

For example, you can use theconcurrencykeyword immediately after where trigger conditions are defined to limit the concurrency of entire workflow runs for a specific branch:

on:
push:
branches:
-main

concurrency:
group:${{github.workflow}}-${{github.ref}}
cancel-in-progress:true

You can also limit the concurrency of jobs within a workflow by using theconcurrencykeyword at the job level:

on:
push:
branches:
-main

jobs:
job-1:
runs-on:ubuntu-latest
concurrency:
group:example-group
cancel-in-progress:true

Example: Concurrency groups

Concurrency groups provide a way to manage and limit the execution of workflow runs or jobs that share the same concurrency key.

Theconcurrencykey is used to group workflows or jobs together into a concurrency group. When you define aconcurrencykey, GitHub Actions ensures that only one workflow or job with that key runs at any given time. If a new workflow run or job starts with the sameconcurrencykey, GitHub Actions will cancel any workflow or job already running with that key. Theconcurrencykey can be a hard-coded string, or it can be a dynamic expression that includes context variables.

It is possible to define concurrency conditions in your workflow so that the workflow or job is part of a concurrency group.

This means that when a workflow run or job starts, GitHub will cancel any workflow runs or jobs that are already in progress in the same concurrency group. This is useful in scenarios where you want to prevent parallel runs for a certain set of a workflows or jobs, such as the ones used for deployments to a staging environment, in order to prevent actions that could cause conflicts or consume more resources than necessary.

In this example,job-1is part of a concurrency group namedstaging_environment.This means that if a new run ofjob-1is triggered, any runs of the same job in thestaging_environmentconcurrency group that are already in progress will be cancelled.

jobs:
job-1:
runs-on:ubuntu-latest
concurrency:
group:staging_environment
cancel-in-progress:true

Alternatively, using a dynamic expression such asconcurrency: ci-${{ github.ref }}in your workflow means that the workflow or job would be part of a concurrency group namedci-followed by the reference of the branch or tag that triggered the workflow. In this example, if a new commit is pushed to the main branch while a previous run is still in progress, the previous run will be cancelled and the new one will start:

on:
push:
branches:
-main

concurrency:
group:ci-${{github.ref}}
cancel-in-progress:true

Example: Using concurrency to cancel any in-progress job or run

To use concurrency to cancel any in-progress job or run in GitHub Actions, you can use theconcurrencykey with thecancel-in-progressoption set totrue:

concurrency:
group:${{github.ref}}
cancel-in-progress:true

Note that in this example, without defining a particular concurrency group, GitHub Actions will cancelanyin-progress run of the job or workflow.

Example: Using a fallback value

If you build the group name with a property that is only defined for specific events, you can use a fallback value. For example,github.head_refis only defined onpull_requestevents. If your workflow responds to other events in addition topull_requestevents, you will need to provide a fallback to avoid a syntax error. The following concurrency group cancels in-progress jobs or runs onpull_requestevents only; ifgithub.head_refis undefined, the concurrency group will fallback to the run ID, which is guaranteed to be both unique and defined for the run.

concurrency:
group:${{github.head_ref||github.run_id}}
cancel-in-progress:true

Example: Only cancel in-progress jobs or runs for the current workflow

If you have multiple workflows in the same repository, concurrency group names must be unique across workflows to avoid canceling in-progress jobs or runs from other workflows. Otherwise, any previously in-progress or pending job will be canceled, regardless of the workflow.

To only cancel in-progress runs of the same workflow, you can use thegithub.workflowproperty to build the concurrency group:

concurrency:
group:${{github.workflow}}-${{github.ref}}
cancel-in-progress:true

Example: Only cancel in-progress jobs on specific branches

If you would like to cancel in-progress jobs on certain branches but not on others, you can use conditional expressions withcancel-in-progress.For example, you can do this if you would like to cancel in-progress jobs on development branches but not on release branches.

To only cancel in-progress runs of the same workflow when not running on a release branch, you can setcancel-in-progressto an expression similar to the following:

concurrency:
group:${{github.workflow}}-${{github.ref}}
cancel-in-progress:${{!contains(github.ref,'release/')}}

In this example, multiple pushes to arelease/1.2.3branch would not cancel in-progress runs. Pushes to another branch, such asmain,would cancel in-progress runs.

jobs

A workflow run is made up of one or morejobs,which run in parallel by default. To run jobs sequentially, you can define dependencies on other jobs using thejobs.<job_id>.needskeyword.

Each job runs in a runner environment specified byruns-on.

You can run an unlimited number of jobs as long as you are within the workflow usage limits. For more information, see "Usage limits, billing, and administration"for GitHub-hosted runners and"About self-hosted runners"for self-hosted runner usage limits.

If you need to find the unique identifier of a job running in a workflow run, you can use the GitHub API. For more information, see "REST API endpoints for GitHub Actions."

jobs.<job_id>

Usejobs.<job_id>to give your job a unique identifier. The keyjob_idis a string and its value is a map of the job's configuration data. You must replace<job_id>with a string that is unique to thejobsobject. The<job_id>must start with a letter or_and contain only Alpha numeric characters,-,or_.

Example: Creating jobs

In this example, two jobs have been created, and theirjob_idvalues aremy_first_jobandmy_second_job.

jobs:
my_first_job:
name:Myfirstjob
my_second_job:
name:Mysecondjob

jobs.<job_id>.name

Usejobs.<job_id>.nameto set a name for the job, which is displayed in the GitHub UI.

jobs.<job_id>.permissions

For a specific job, you can usejobs.<job_id>.permissionsto modify the default permissions granted to theGITHUB_TOKEN,adding or removing access as required, so that you only allow the minimum required access. For more information, see "Automatic token authentication."

By specifying the permission within a job definition, you can configure a different set of permissions for theGITHUB_TOKENfor each job, if required. Alternatively, you can specify the permissions for all jobs in the workflow. For information on defining permissions at the workflow level, seepermissions.

For each of the available permissions, shown in the table below, you can assign one of the access levels:read(if applicable),write,ornone.writeincludesread.If you specify the access for any of these permissions, all of those that are not specified are set tonone.

Available permissions and details of what each allows an action to do:

Defining access for theGITHUB_TOKENscopes

You can define the access that theGITHUB_TOKENwill permit by specifyingread,write,ornoneas the value of the available permissions within thepermissionskey.

permissions:
actions:read|write|none
attestations:read|write|none
checks:read|write|none
contents:read|write|none
deployments:read|write|none
id-token:write|none
issues:read|write|none
discussions:read|write|none
packages:read|write|none
pages:read|write|none
pull-requests:read|write|none
repository-projects:read|write|none
security-events:read|write|none
statuses:read|write|none

If you specify the access for any of these permissions, all of those that are not specified are set tonone.

You can use the following syntax to define one ofread-allorwrite-allaccess for all of the available permissions:

permissions:read-all

permissions:write-all

You can use the following syntax to disable permissions for all of the available permissions:

permissions:{}

Changing the permissions in a forked repository

You can use thepermissionskey to add and remove read permissions for forked repositories, but typically you can't grant write access. The exception to this behavior is where an admin user has selected theSend write tokens to workflows from pull requestsoption in the GitHub Actions settings. For more information, see "Managing GitHub Actions settings for a repository."

Example: Setting theGITHUB_TOKENpermissions for one job in a workflow

This example shows permissions being set for theGITHUB_TOKENthat will only apply to the job namedstale.Write access is granted for theissuesandpull-requestspermissions. All other permissions will have no access.

jobs:
stale:
runs-on:ubuntu-latest

permissions:
issues:write
pull-requests:write

steps:
-uses:actions/stale@v5

jobs.<job_id>.needs

Usejobs.<job_id>.needsto identify any jobs that must complete successfully before this job will run. It can be a string or array of strings. If a job fails or is skipped, all jobs that need it are skipped unless the jobs use a conditional expression that causes the job to continue. If a run contains a series of jobs that need each other, a failure or skip applies to all jobs in the dependency chain from the point of failure or skip onwards. If you would like a job to run even if a job it is dependent on did not succeed, use thealways()conditional expression injobs.<job_id>.if.

Example: Requiring successful dependent jobs

jobs:
job1:
job2:
needs:job1
job3:
needs:[job1,job2]

In this example,job1must complete successfully beforejob2begins, andjob3waits for bothjob1andjob2to complete.

The jobs in this example run sequentially:

1. job1
2. job2
3. job3

Example: Not requiring successful dependent jobs

jobs:
job1:
job2:
needs:job1
job3:
if:${{always()}}
needs:[job1,job2]

In this example,job3uses thealways()conditional expression so that it always runs afterjob1andjob2have completed, regardless of whether they were successful. For more information, see "Evaluate expressions in workflows and actions."

jobs.<job_id>.if

You can use thejobs.<job_id>.ifconditional to prevent a job from running unless a condition is met. You can use any supported context and expression to create a conditional. For more information on which contexts are supported in this key, see "Accessing contextual information about workflow runs."

When you use expressions in anifconditional, you can, optionally, omit the${{ }}expression syntax because GitHub Actions automatically evaluates theifconditional as an expression. However, this exception does not apply everywhere.

You must always use the${{ }}expression syntax or escape with'',"",or()when the expression starts with!,since!is reserved notation in YAML format. For example:

if:${{!startsWith(github.ref,'refs/tags/')}}

For more information, see "Evaluate expressions in workflows and actions."

Example: Only run job for specific repository

This example usesifto control when theproduction-deployjob can run. It will only run if the repository is namedocto-repo-prodand is within theocto-orgorganization. Otherwise, the job will be marked asskipped.

name: example-workflow
on: [push]
jobs:
production-deploy:
if: github.repository == 'octo-org/octo-repo-prod'
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-node@v4
with:
node-version: '14'
- run: npm install -g bats

name:example-workflow
on:[push]
jobs:
production-deploy:
if:github.repository=='octo-org/octo-repo-prod'
runs-on:ubuntu-latest
steps:
-uses:actions/checkout@v4
-uses:actions/setup-node@v4
with:
node-version:'14'
-run:npminstall-gbats

jobs.<job_id>.runs-on

Usejobs.<job_id>.runs-onto define the type of machine to run the job on.

• The destination machine can be either aGitHub-hosted runner,larger runner,or aself-hosted runner.
• You can target runners based on the labels assigned to them, or their group membership, or a combination of these.

• You can provideruns-onas:

  • A single string
  • A single variable containing a string
  • An array of strings, variables containing strings, or a combination of both
  • Akey: valuepair using thegrouporlabelskeys

• If you specify an array of strings or variables, your workflow will execute on any runner that matches all of the specifiedruns-onvalues. For example, here the job will only run on a self-hosted runner that has the labelslinux,x64,andgpu:

  runs-on:[self-hosted,linux,x64,gpu]
  

  For more information, see "Choosing self-hosted runners."

• You can mix strings and variables in an array. For example:

  on:
  workflow_dispatch:
  inputs:
  chosen-os:
  required:true
  type:choice
  options:
  -Ubuntu
  -macOS
  
  jobs:
  test:
  runs-on:[self-hosted,"${{ inputs.chosen-os }}"]
  steps:
  -run:echoHelloworld!
  

• If you would like to run your workflow on multiple machines, usejobs.<job_id>.strategy.

Choosing GitHub-hosted runners

If you use a GitHub-hosted runner, each job runs in a fresh instance of a runner image specified byruns-on.

The value for runs-on, when you are using a GitHub-hosted runner, is a runner label or the name of a runner group. The labels for the standard GitHub-hosted runners are shown in the following tables.

For more information, see "About GitHub-hosted runners."

Standard GitHub-hosted runners for public repositories

For public repositories, jobs using the workflow labels shown in the table below will run on virtual machines with the associated specifications. The use of these runners on public repositories is free and unlimited.

Standard GitHub-hosted runners for private repositories

For private repositories, jobs using the workflow labels shown in the table below will run on virtual machines with the associated specifications. These runners use your GitHub account's allotment of free minutes, and are then charged at the per minute rates. For more information, see "About billing for GitHub Actions."

In addition to the standard GitHub-hosted runners, GitHub offers customers on GitHub Team and GitHub Enterprise Cloud plans a range of managed virtual machines with advanced features - for example, more cores and disk space, GPU-powered machines, and ARM-powered machines. For more information, see "About larger runners."

Example: Specifying an operating system

runs-on:ubuntu-latest

For more information, see "Using GitHub-hosted runners."

Choosing self-hosted runners

To specify a self-hosted runner for your job, configureruns-onin your workflow file with self-hosted runner labels.

Self-hosted runners may have theself-hostedlabel. When setting up a self-hosted runner, by default we will include the labelself-hosted.You may pass in the--no-default-labelsflag to prevent the self-hosted label from being applied. Labels can be used to create targeting options for runners, such as operating system or architecture, we recommend providing an array of labels that begins withself-hosted(this must be listed first) and then includes additional labels as needed. When you specify an array of labels, jobs will be queued on runners that have all the labels that you specify.

Note that Actions Runner Controller does not support multiple labels and does not support theself-hostedlabel.

Example: Using labels for runner selection

runs-on:[self-hosted,linux]

For more information, see "About self-hosted runners"and"Using self-hosted runners in a workflow."

Choosing runners in a group

You can useruns-onto target runner groups, so that the job will execute on any runner that is a member of that group. For more granular control, you can also combine runner groups with labels.

Runner groups can only havelarger runnersorself-hosted runnersas members.

Example: Using groups to control where jobs are run

In this example, Ubuntu runners have been added to a group calledubuntu-runners.Theruns-onkey sends the job to any available runner in theubuntu-runnersgroup:

name:learn-github-actions
on:[push]
jobs:
check-bats-version:
runs-on:
group:ubuntu-runners
steps:
-uses:actions/checkout@v4
-uses:actions/setup-node@v4
with:
node-version:'14'
-run:npminstall-gbats
-run:bats-v

Example: Combining groups and labels

When you combine groups and labels, the runner must meet both requirements to be eligible to run the job.

In this example, a runner group calledubuntu-runnersis populated with Ubuntu runners, which have also been assigned the labelubuntu-20.04-16core.Theruns-onkey combinesgroupandlabelsso that the job is routed to any available runner within the group that also has a matching label:

name:learn-github-actions
on:[push]
jobs:
check-bats-version:
runs-on:
group:ubuntu-runners
labels:ubuntu-20.04-16core
steps:
-uses:actions/checkout@v4
-uses:actions/setup-node@v4
with:
node-version:'14'
-run:npminstall-gbats
-run:bats-v

jobs.<job_id>.environment

Usejobs.<job_id>.environmentto define the environment that the job references.

You can provide the environment as only the environmentname,or as an environment object with thenameandurl.The URL maps toenvironment_urlin the deployments API. For more information about the deployments API, see "REST API endpoints for repositories."

Example: Using a single environment name

environment:staging_environment

Example: Using environment name and URL

environment:
name:production_environment
url:https://github

The value ofurlcan be an expression. Allowed expression contexts:github,inputs,vars,needs,strategy,matrix,job,runner,env,andsteps.For more information about expressions, see "Evaluate expressions in workflows and actions."

Example: Using output as URL

environment:
name:production_environment
url:${{steps.step_id.outputs.url_output}}

The value ofnamecan be an expression. Allowed expression contexts:github,inputs,vars,needs,strategy,andmatrix.For more information about expressions, see "Evaluate expressions in workflows and actions."

Example: Using an expression as environment name

environment:
name:${{github.ref_name}}

jobs.<job_id>.concurrency

You can usejobs.<job_id>.concurrencyto ensure that only a single job or workflow using the same concurrency group will run at a time. A concurrency group can be any string or expression. Allowed expression contexts:github,inputs,vars,needs,strategy,andmatrix.For more information about expressions, see "Evaluate expressions in workflows and actions."

You can also specifyconcurrencyat the workflow level. For more information, seeconcurrency.

This means that there can be at most one running and one pending job in a concurrency group at any time. When a concurrent job or workflow is queued, if another job or workflow using the same concurrency group in the repository is in progress, the queued job or workflow will bepending.Any existingpendingjob or workflow in the same concurrency group, if it exists, will be canceled and the new queued job or workflow will take its place.

To also cancel any currently running job or workflow in the same concurrency group, specifycancel-in-progress: true.To conditionally cancel currently running jobs or workflows in the same concurrency group, you can specifycancel-in-progressas an expression with any of the allowed expression contexts.

Example: Using concurrency and the default behavior

The default behavior of GitHub Actions is to allow multiple jobs or workflow runs to run concurrently. Theconcurrencykeyword allows you to control the concurrency of workflow runs.

For example, you can use theconcurrencykeyword immediately after where trigger conditions are defined to limit the concurrency of entire workflow runs for a specific branch:

on:
push:
branches:
-main

concurrency:
group:${{github.workflow}}-${{github.ref}}
cancel-in-progress:true

You can also limit the concurrency of jobs within a workflow by using theconcurrencykeyword at the job level:

on:
push:
branches:
-main

jobs:
job-1:
runs-on:ubuntu-latest
concurrency:
group:example-group
cancel-in-progress:true

Example: Concurrency groups

Concurrency groups provide a way to manage and limit the execution of workflow runs or jobs that share the same concurrency key.

Theconcurrencykey is used to group workflows or jobs together into a concurrency group. When you define aconcurrencykey, GitHub Actions ensures that only one workflow or job with that key runs at any given time. If a new workflow run or job starts with the sameconcurrencykey, GitHub Actions will cancel any workflow or job already running with that key. Theconcurrencykey can be a hard-coded string, or it can be a dynamic expression that includes context variables.

It is possible to define concurrency conditions in your workflow so that the workflow or job is part of a concurrency group.

This means that when a workflow run or job starts, GitHub will cancel any workflow runs or jobs that are already in progress in the same concurrency group. This is useful in scenarios where you want to prevent parallel runs for a certain set of a workflows or jobs, such as the ones used for deployments to a staging environment, in order to prevent actions that could cause conflicts or consume more resources than necessary.

In this example,job-1is part of a concurrency group namedstaging_environment.This means that if a new run ofjob-1is triggered, any runs of the same job in thestaging_environmentconcurrency group that are already in progress will be cancelled.

jobs:
job-1:
runs-on:ubuntu-latest
concurrency:
group:staging_environment
cancel-in-progress:true

Alternatively, using a dynamic expression such asconcurrency: ci-${{ github.ref }}in your workflow means that the workflow or job would be part of a concurrency group namedci-followed by the reference of the branch or tag that triggered the workflow. In this example, if a new commit is pushed to the main branch while a previous run is still in progress, the previous run will be cancelled and the new one will start:

on:
push:
branches:
-main

concurrency:
group:ci-${{github.ref}}
cancel-in-progress:true

Example: Using concurrency to cancel any in-progress job or run

To use concurrency to cancel any in-progress job or run in GitHub Actions, you can use theconcurrencykey with thecancel-in-progressoption set totrue:

concurrency:
group:${{github.ref}}
cancel-in-progress:true

Note that in this example, without defining a particular concurrency group, GitHub Actions will cancelanyin-progress run of the job or workflow.

Example: Using a fallback value

If you build the group name with a property that is only defined for specific events, you can use a fallback value. For example,github.head_refis only defined onpull_requestevents. If your workflow responds to other events in addition topull_requestevents, you will need to provide a fallback to avoid a syntax error. The following concurrency group cancels in-progress jobs or runs onpull_requestevents only; ifgithub.head_refis undefined, the concurrency group will fallback to the run ID, which is guaranteed to be both unique and defined for the run.

concurrency:
group:${{github.head_ref||github.run_id}}
cancel-in-progress:true

Example: Only cancel in-progress jobs or runs for the current workflow

If you have multiple workflows in the same repository, concurrency group names must be unique across workflows to avoid canceling in-progress jobs or runs from other workflows. Otherwise, any previously in-progress or pending job will be canceled, regardless of the workflow.

To only cancel in-progress runs of the same workflow, you can use thegithub.workflowproperty to build the concurrency group:

concurrency:
group:${{github.workflow}}-${{github.ref}}
cancel-in-progress:true

Example: Only cancel in-progress jobs on specific branches

If you would like to cancel in-progress jobs on certain branches but not on others, you can use conditional expressions withcancel-in-progress.For example, you can do this if you would like to cancel in-progress jobs on development branches but not on release branches.

To only cancel in-progress runs of the same workflow when not running on a release branch, you can setcancel-in-progressto an expression similar to the following:

concurrency:
group:${{github.workflow}}-${{github.ref}}
cancel-in-progress:${{!contains(github.ref,'release/')}}

In this example, multiple pushes to arelease/1.2.3branch would not cancel in-progress runs. Pushes to another branch, such asmain,would cancel in-progress runs.

jobs.<job_id>.outputs

You can usejobs.<job_id>.outputsto create amapof outputs for a job. Job outputs are available to all downstream jobs that depend on this job. For more information on defining job dependencies, seejobs.<job_id>.needs.

Outputs are Unicode strings, and can be a maximum of 1 MB. The total of all outputs in a workflow run can be a maximum of 50 MB.

Job outputs containing expressions are evaluated on the runner at the end of each job. Outputs containing secrets are redacted on the runner and not sent to GitHub Actions.

If an output is skipped because it may contain a secret, you will see the following warning message: "Skip output{output.Key}since it may contain secret. "For more information on how to handle secrets, please refer to theExample: Masking and passing a secret between jobs or workflows.

To use job outputs in a dependent job, you can use theneedscontext. For more information, see "Accessing contextual information about workflow runs."

Example: Defining outputs for a job

jobs:
job1:
runs-on:ubuntu-latest
# Map a step output to a job output
outputs:
output1:${{steps.step1.outputs.test}}
output2:${{steps.step2.outputs.test}}
steps:
-id:step1
run:echo"test=hello">>"$GITHUB_OUTPUT"
-id:step2
run:echo"test=world">>"$GITHUB_OUTPUT"
job2:
runs-on:ubuntu-latest
needs:job1
steps:
-env:
OUTPUT1:${{needs.job1.outputs.output1}}
OUTPUT2:${{needs.job1.outputs.output2}}
run:echo"$OUTPUT1 $OUTPUT2"

Using Job Outputs in a Matrix Job

Matrices can be used to generate multiple outputs of different names. When using a matrix, job outputs will be combined from all jobs inside the matrix.

jobs:
job1:
runs-on:ubuntu-latest
outputs:
output_1:${{steps.gen_output.outputs.output_1}}
output_2:${{steps.gen_output.outputs.output_2}}
output_3:${{steps.gen_output.outputs.output_3}}
strategy:
matrix:
version:[1,2,3]
steps:
-name:Generateoutput
id:gen_output
run:|
version= "${{ matrix.version }}"
echo "output_${version}=${version}" >> "$GITHUB_OUTPUT"
job2:
runs-on:ubuntu-latest
needs:[job1]
steps:
# Will show
# {
# "output_1": "1",
# "output_2": "2",
# "output_3": "3"
# }
-run:echo'${{ toJSON(needs.job1.outputs) }}'

jobs.<job_id>.env

Amapof variables that are available to all steps in the job. You can set variables for the entire workflow or an individual step. For more information, seeenvandjobs.<job_id>.steps[*].env.

When more than one environment variable is defined with the same name, GitHub uses the most specific variable. For example, an environment variable defined in a step will override job and workflow environment variables with the same name, while the step executes. An environment variable defined for a job will override a workflow variable with the same name, while the job executes.

Example ofjobs.<job_id>.env

jobs:
job1:
env:
FIRST_NAME:Mona

jobs.<job_id>.defaults

Usejobs.<job_id>.defaultsto create amapof default settings that will apply to all steps in the job. You can also set default settings for the entire workflow. For more information, seedefaults.

When more than one default setting is defined with the same name, GitHub uses the most specific default setting. For example, a default setting defined in a job will override a default setting that has the same name defined in a workflow.

jobs.<job_id>.defaults.run

Usejobs.<job_id>.defaults.runto provide defaultshellandworking-directoryto allrunsteps in the job.

You can provide defaultshellandworking-directoryoptions for allrunsteps in a job. You can also set default settings forrunfor the entire workflow. For more information, seedefaults.run.

These can be overriden at thejobs.<job_id>.defaults.runandjobs.<job_id>.steps[*].runlevels.

When more than one default setting is defined with the same name, GitHub uses the most specific default setting. For example, a default setting defined in a job will override a default setting that has the same name defined in a workflow.

jobs.<job_id>.defaults.run.shell

Useshellto define theshellfor a step. This keyword can reference several contexts. For more information, see "Contexts."

jobs.<job_id>.defaults.run.working-directory

Useworking-directoryto define the working directory for theshellfor a step. This keyword can reference several contexts. For more information, see "Contexts."

Example: Setting defaultrunstep options for a job

jobs:
job1:
runs-on:ubuntu-latest
defaults:
run:
shell:bash
working-directory:./scripts

jobs.<job_id>.steps

A job contains a sequence of tasks calledsteps.Steps can run commands, run setup tasks, or run an action in your repository, a public repository, or an action published in a Docker registry. Not all steps run actions, but all actions run as a step. Each step runs in its own process in the runner environment and has access to the workspace and filesystem. Because steps run in their own process, changes to environment variables are not preserved between steps. GitHub provides built-in steps to set up and complete a job.

GitHub only displays the first 1,000 checks, however, you can run an unlimited number of steps as long as you are within the workflow usage limits. For more information, see "Usage limits, billing, and administration"for GitHub-hosted runners and"About self-hosted runners"for self-hosted runner usage limits.

Example ofjobs.<job_id>.steps

name:GreetingfromMona

on:push

jobs:
my-job:
name:MyJob
runs-on:ubuntu-latest
steps:
-name:Printagreeting
env:
MY_VAR:Hithere!Mynameis
FIRST_NAME:Mona
MIDDLE_NAME:The
LAST_NAME:Octocat
run:|
echo $MY_VAR $FIRST_NAME $MIDDLE_NAME $LAST_NAME.

jobs.<job_id>.steps[*].id

A unique identifier for the step. You can use theidto reference the step in contexts. For more information, see "Accessing contextual information about workflow runs."

jobs.<job_id>.steps[*].if

You can use theifconditional to prevent a step from running unless a condition is met. You can use any supported context and expression to create a conditional. For more information on which contexts are supported in this key, see "Accessing contextual information about workflow runs."

When you use expressions in anifconditional, you can, optionally, omit the${{ }}expression syntax because GitHub Actions automatically evaluates theifconditional as an expression. However, this exception does not apply everywhere.

You must always use the${{ }}expression syntax or escape with'',"",or()when the expression starts with!,since!is reserved notation in YAML format. For example:

if:${{!startsWith(github.ref,'refs/tags/')}}

For more information, see "Evaluate expressions in workflows and actions."

Example: Using contexts

This step only runs when the event type is apull_requestand the event action isunassigned.

steps:
-name:Myfirststep
if:${{github.event_name=='pull_request'&&github.event.action=='unassigned'}}
run:echoThiseventisapullrequestthathadanassigneeremoved.

Example: Using status check functions

Themy backup steponly runs when the previous step of a job fails. For more information, see "Evaluate expressions in workflows and actions."

steps:
-name:Myfirststep
uses:octo-org/action-name@main
-name:Mybackupstep
if:${{failure()}}
uses:actions/[email protected]

Example: Using secrets

Secrets cannot be directly referenced inif:conditionals. Instead, consider setting secrets as job-level environment variables, then referencing the environment variables to conditionally run steps in the job.

If a secret has not been set, the return value of an expression referencing the secret (such as${{ secrets.SuperSecret }}in the example) will be an empty string.

name:Runastepifasecrethasbeenset
on:push
jobs:
my-jobname:
runs-on:ubuntu-latest
env:
super_secret:${{secrets.SuperSecret}}
steps:
-if:${{env.super_secret!=''}}
run:echo'This step will only run if the secret has a value set.'
-if:${{env.super_secret==''}}
run:echo'This step will only run if the secret does not have a value set.'

For more information, see "Accessing contextual information about workflow runs"and"Using secrets in GitHub Actions."

jobs.<job_id>.steps[*].name

A name for your step to display on GitHub.

jobs.<job_id>.steps[*].uses

Selects an action to run as part of a step in your job. An action is a reusable unit of code. You can use an action defined in the same repository as the workflow, a public repository, or in apublished Docker container image.

We strongly recommend that you include the version of the action you are using by specifying a Git ref, SHA, or Docker tag. If you don't specify a version, it could break your workflows or cause unexpected behavior when the action owner publishes an update.

• Using the commit SHA of a released action version is the safest for stability and security.
• If the action publishes major version tags, you should expect to receive critical fixes and security patches while still retaining compatibility. Note that this behavior is at the discretion of the action's author.
• Using the default branch of an action may be convenient, but if someone releases a new major version with a breaking change, your workflow could break.

Some actions require inputs that you must set using thewithkeyword. Review the action's README file to determine the inputs required.

Actions are either JavaScript files or Docker containers. If the action you're using is a Docker container you must run the job in a Linux environment. For more details, seeruns-on.

Example: Using versioned actions

steps:
# Reference a specific commit
-uses:actions/checkout@8f4b7f84864484a7bf31766abe9204da3cbe65b3
# Reference the major version of a release
-uses:actions/checkout@v4
# Reference a specific version
-uses:actions/[email protected]
# Reference a branch
-uses:actions/checkout@main

Example: Using a public action

{owner}/{repo}@{ref}

You can specify a branch, ref, or SHA in a public GitHub repository.

jobs:
my_first_job:
steps:
-name:Myfirststep
# Uses the default branch of a public repository
uses:actions/heroku@main
-name:Mysecondstep
# Uses a specific version tag of a public repository
uses:actions/[email protected]

Example: Using a public action in a subdirectory

{owner}/{repo}/{path}@{ref}

A subdirectory in a public GitHub repository at a specific branch, ref, or SHA.

jobs:
my_first_job:
steps:
-name:Myfirststep
uses:actions/aws/ec2@main

Example: Using an action in the same repository as the workflow

./path/to/dir

The path to the directory that contains the action in your workflow's repository. You must check out your repository before using the action.

Example repository file structure:

|-- hello-world (repository)
| |__.github
| └── workflows
| └── my-first-workflow.yml
| └── actions
| |__ hello-world-action
| └── action.yml

The path is relative (./) to the default working directory (github.workspace,$GITHUB_WORKSPACE). If the action checks out the repository to a location different than the workflow, the relative path used for local actions must be updated.

Example workflow file:

jobs:
my_first_job:
runs-on:ubuntu-latest
steps:
# This step checks out a copy of your repository.
-name:Myfirststep-checkoutrepository
uses:actions/checkout@v4
# This step references the directory that contains the action.
-name:Uselocalhello-world-action
uses:./.github/actions/hello-world-action

Example: Using a Docker Hub action

docker://{image}:{tag}

A Docker image published onDocker Hub.

jobs:
my_first_job:
steps:
-name:Myfirststep
uses:docker://alpine:3.8

Example: Using the GitHub Packages Container registry

docker://{host}/{image}:{tag}

A public Docker image in the GitHub Packages Container registry.

jobs:
my_first_job:
steps:
-name:Myfirststep
uses:docker://ghcr.io/OWNER/IMAGE_NAME

Example: Using a Docker public registry action

docker://{host}/{image}:{tag}

A Docker image in a public registry. This example uses the Google Container Registry atgcr.io.

jobs:
my_first_job:
steps:
-name:Myfirststep
uses:docker://gcr.io/cloud-builders/gradle

Example: Using an action inside a different private repository than the workflow

Your workflow must checkout the private repository and reference the action locally. Generate a personal access token and add the token as a secret. For more information, see "Managing your personal access tokens"and"Using secrets in GitHub Actions."

ReplacePERSONAL_ACCESS_TOKENin the example with the name of your secret.

jobs:
my_first_job:
steps:
-name:Checkoutrepository
uses:actions/checkout@v4
with:
repository:octocat/my-private-repo
ref:v1.0
token:${{secrets.PERSONAL_ACCESS_TOKEN}}
path:./.github/actions/my-private-repo
-name:Runmyaction
uses:./.github/actions/my-private-repo/my-action

Alternatively, use a GitHub App instead of a personal access token in order to ensure your workflow continues to run even if the personal access token owner leaves. For more information, see "Making authenticated API requests with a GitHub App in a GitHub Actions workflow."

jobs.<job_id>.steps[*].run

Runs command-line programs that do not exceed 21,000 characters using the operating system's shell. If you do not provide aname,the step name will default to the text specified in theruncommand.

Commands run using non-login shells by default. You can choose a different shell and customize the shell used to run commands. For more information, seejobs.<job_id>.steps[*].shell.

Eachrunkeyword represents a new process and shell in the runner environment. When you provide multi-line commands, each line runs in the same shell. For example:

• A single-line command:

  -name:InstallDependencies
  run:npminstall
  

• A multi-line command:

  -name:Cleaninstalldependenciesandbuild
  run:|
  npm ci
  npm run build
  

jobs.<job_id>.steps[*].working-directory

Using theworking-directorykeyword, you can specify the working directory of where to run the command.

-name:Cleantempdirectory
run:rm-rf*
working-directory:./temp

Alternatively, you can specify a default working directory for allrunsteps in a job, or for allrunsteps in the entire workflow. For more information, see "defaults.run.working-directory"and"jobs.<job_id>.defaults.run.working-directory."

You can also use arunstep to run a script. For more information, see "Adding scripts to your workflow."

jobs.<job_id>.steps[*].shell

You can override the default shell settings in the runner's operating system and the job's default using theshellkeyword. You can use built-inshellkeywords, or you can define a custom set of shell options. The shell command that is run internally executes a temporary file that contains the commands specified in therunkeyword.

Alternatively, you can specify a default shell for allrunsteps in a job, or for allrunsteps in the entire workflow. For more information, see "defaults.run.shell"and"jobs.<job_id>.defaults.run.shell."

Example: Running a command using Bash

steps:
-name:Displaythepath
shell:bash
run:echo$PATH

Example: Running a command using Windowscmd

steps:
-name:Displaythepath
shell:cmd
run:echo%PATH%

Example: Running a command using PowerShell Core

steps:
-name:Displaythepath
shell:pwsh
run:echo${env:PATH}

Example: Using PowerShell Desktop to run a command

steps:
-name:Displaythepath
shell:powershell
run:echo${env:PATH}

Example: Running an inline Python script

steps:
-name:Displaythepath
shell:Python
run:|
import os
print(os.environ['PATH'])

Custom shell

You can set theshellvalue to a template string usingcommand [options] {0} [more_options].GitHub interprets the first whitespace-delimited word of the string as the command, and inserts the file name for the temporary script at{0}.

For example:

steps:
-name:Displaytheenvironmentvariablesandtheirvalues
shell:perl{0}
run:|
print %ENV

The command used,perlin this example, must be installed on the runner.

For information about the software included on GitHub-hosted runners, see "Using GitHub-hosted runners."

Exit codes and error action preference

For built-in shell keywords, we provide the following defaults that are executed by GitHub-hosted runners. You should use these guidelines when running shell scripts.

• bash/sh:

  • By default, fail-fast behavior is enforced usingset -efor bothshandbash.Whenshell: bashis specified,-o pipefailis also applied to enforce early exit from pipelines that generate a non-zero exit status.
  • You can take full control over shell parameters by providing a template string to the shell options. For example,bash {0}.
  • sh-like shells exit with the exit code of the last command executed in a script, which is also the default behavior for actions. The runner will report the status of the step as fail/succeed based on this exit code.

• powershell/pwsh

  • Fail-fast behavior when possible. Forpwshandpowershellbuilt-in shell, we will prepend$ErrorActionPreference = 'stop'to script contents.
  • We appendif ((Test-Path -LiteralPath variable:\LASTEXITCODE)) { exit $LASTEXITCODE }to powershell scripts so action statuses reflect the script's last exit code.
  • Users can always opt out by not using the built-in shell, and providing a custom shell option like:pwsh -File {0},orpowershell -Command "& '{0}'",depending on need.

• cmd

  • There doesn't seem to be a way to fully opt into fail-fast behavior other than writing your script to check each error code and respond accordingly. Because we can't actually provide that behavior by default, you need to write this behavior into your script.
  • cmd.exewill exit with the error level of the last program it executed, and it will return the error code to the runner. This behavior is internally consistent with the previousshandpwshdefault behavior and is thecmd.exedefault, so this behavior remains intact.

jobs.<job_id>.steps[*].with

Amapof the input parameters defined by the action. Each input parameter is a key/value pair. Input parameters are set as environment variables. The variable is prefixed withINPUT_and converted to upper case.

Input parameters defined for a Docker container must useargs.For more information, see "jobs.<job_id>.steps[*].with.args."

Example ofjobs.<job_id>.steps[*].with

Defines the three input parameters (first_name,middle_name,andlast_name) defined by thehello_worldaction. These input variables will be accessible to thehello-worldaction asINPUT_FIRST_NAME,INPUT_MIDDLE_NAME,andINPUT_LAST_NAMEenvironment variables.

jobs:
my_first_job:
steps:
-name:Myfirststep
uses:actions/hello_world@main
with:
first_name:Mona
middle_name:The
last_name:Octocat

jobs.<job_id>.steps[*].with.args

Astringthat defines the inputs for a Docker container. GitHub passes theargsto the container'sENTRYPOINTwhen the container starts up. Anarray of stringsis not supported by this parameter. A single argument that includes spaces should be surrounded by double quotes"".

Example ofjobs.<job_id>.steps[*].with.args

steps:
-name:Explainwhythisjobran
uses:octo-org/action-name@main
with:
entrypoint:/bin/echo
args:The${{github.event_name}}eventtriggeredthisstep.

Theargsare used in place of theCMDinstruction in aDockerfile.If you useCMDin yourDockerfile,use the guidelines ordered by preference:

1. Document required arguments in the action's README and omit them from theCMDinstruction.
2. Use defaults that allow using the action without specifying anyargs.
3. If the action exposes a--helpflag, or something similar, use that as the default to make your action self-documenting.

jobs.<job_id>.steps[*].with.entrypoint

Overrides the DockerENTRYPOINTin theDockerfile,or sets it if one wasn't already specified. Unlike the DockerENTRYPOINTinstruction which has a shell and exec form,entrypointkeyword accepts only a single string defining the executable to be run.

Example ofjobs.<job_id>.steps[*].with.entrypoint

steps:
-name:Runacustomcommand
uses:octo-org/action-name@main
with:
entrypoint:/a/different/executable

Theentrypointkeyword is meant to be used with Docker container actions, but you can also use it with JavaScript actions that don't define any inputs.

jobs.<job_id>.steps[*].env

Sets variables for steps to use in the runner environment. You can also set variables for the entire workflow or a job. For more information, seeenvandjobs.<job_id>.env.

When more than one environment variable is defined with the same name, GitHub uses the most specific variable. For example, an environment variable defined in a step will override job and workflow environment variables with the same name, while the step executes. An environment variable defined for a job will override a workflow variable with the same name, while the job executes.

Public actions may specify expected variables in the README file. If you are setting a secret or sensitive value, such as a password or token, you must set secrets using thesecretscontext. For more information, see "Accessing contextual information about workflow runs."

Example ofjobs.<job_id>.steps[*].env

steps:
-name:Myfirstaction
env:
GITHUB_TOKEN:${{secrets.GITHUB_TOKEN}}
FIRST_NAME:Mona
LAST_NAME:Octocat

jobs.<job_id>.steps[*].continue-on-error

Prevents a job from failing when a step fails. Set totrueto allow a job to pass when this step fails.

jobs.<job_id>.steps[*].timeout-minutes

The maximum number of minutes to run the step before killing the process.

Fractional values are not supported.timeout-minutesmust be a positive integer.

jobs.<job_id>.timeout-minutes

The maximum number of minutes to let a job run before GitHub automatically cancels it. Default: 360

If the timeout exceeds the job execution time limit for the runner, the job will be canceled when the execution time limit is met instead. For more information about job execution time limits, see "Usage limits, billing, and administration"for GitHub-hosted runners and"About self-hosted runners"for self-hosted runner usage limits.

jobs.<job_id>.strategy

Usejobs.<job_id>.strategyto use a matrix strategy for your jobs. A matrix strategy lets you use variables in a single job definition to automatically create multiple job runs that are based on the combinations of the variables. For example, you can use a matrix strategy to test your code in multiple versions of a language or on multiple operating systems. For more information, see "Running variations of jobs in a workflow."

jobs.<job_id>.strategy.matrix

Usejobs.<job_id>.strategy.matrixto define a matrix of different job configurations. Within your matrix, define one or more variables followed by an array of values. For example, the following matrix has a variable calledversionwith the value[10, 12, 14]and a variable calledoswith the value[ubuntu-latest, windows-latest]:

jobs:
example_matrix:
strategy:
matrix:
version:[10,12,14]
os:[ubuntu-latest,windows-latest]

A job will run for each possible combination of the variables. In this example, the workflow will run six jobs, one for each combination of theosandversionvariables.

By default, GitHub will maximize the number of jobs run in parallel depending on runner availability. The order of the variables in the matrix determines the order in which the jobs are created. The first variable you define will be the first job that is created in your workflow run. For example, the above matrix will create the jobs in the following order:

• {version: 10, os: ubuntu-latest}
• {version: 10, os: windows-latest}
• {version: 12, os: ubuntu-latest}
• {version: 12, os: windows-latest}
• {version: 14, os: ubuntu-latest}
• {version: 14, os: windows-latest}

A matrix will generate a maximum of 256 jobs per workflow run. This limit applies to both GitHub-hosted and self-hosted runners.

The variables that you define become properties in thematrixcontext, and you can reference the property in other areas of your workflow file. In this example, you can usematrix.versionandmatrix.osto access the current value ofversionandosthat the job is using. For more information, see "Accessing contextual information about workflow runs."

Example: Using a single-dimension matrix

You can specify a single variable to create a single-dimension matrix.

For example, the following workflow defines the variableversionwith the values[10, 12, 14].The workflow will run three jobs, one for each value in the variable. Each job will access theversionvalue through thematrix.versioncontext and pass the value asnode-versionto theactions/setup-nodeaction.

jobs:
example_matrix:
strategy:
matrix:
version:[10,12,14]
steps:
-uses:actions/setup-node@v4
with:
node-version:${{matrix.version}}

Example: Using a multi-dimension matrix

You can specify multiple variables to create a multi-dimensional matrix. A job will run for each possible combination of the variables.

For example, the following workflow specifies two variables:

• Two operating systems specified in theosvariable
• Three Node.js versions specified in theversionvariable

The workflow will run six jobs, one for each combination of theosandversionvariables. Each job will set theruns-onvalue to the currentosvalue and will pass the currentversionvalue to theactions/setup-nodeaction.

jobs:
example_matrix:
strategy:
matrix:
os:[ubuntu-22.04,ubuntu-20.04]
version:[10,12,14]
runs-on:${{matrix.os}}
steps:
-uses:actions/setup-node@v4
with:
node-version:${{matrix.version}}

A variable configuration in a matrix can be anarrayofobjects.

matrix:
os:
-ubuntu-latest
-macos-latest
node:
-version:14
-version:20
env:NODE_OPTIONS=--openssl-legacy-provider

This matrix produces 4 jobs with corresponding contexts.

-matrix.os:ubuntu-latest
matrix.node.version:14
-matrix.os:ubuntu-latest
matrix.node.version:20
matrix.node.env:NODE_OPTIONS=--openssl-legacy-provider
-matrix.os:macos-latest
matrix.node.version:14
-matrix.os:macos-latest
matrix.node.version:20
matrix.node.env:NODE_OPTIONS=--openssl-legacy-provider

Example: Using contexts to create matrices

You can use contexts to create matrices. For more information about contexts, see "Accessing contextual information about workflow runs."

For example, the following workflow triggers on therepository_dispatchevent and uses information from the event payload to build the matrix. When a repository dispatch event is created with a payload like the one below, the matrixversionvariable will have a value of[12, 14, 16].For more information about therepository_dispatchtrigger, see "Events that trigger workflows."

{
"event_type":"test",
"client_payload":{
"versions":[12,14,16]
}
}

on:
repository_dispatch:
types:
-test

jobs:
example_matrix:
runs-on:ubuntu-latest
strategy:
matrix:
version:${{github.event.client_payload.versions}}
steps:
-uses:actions/setup-node@v4
with:
node-version:${{matrix.version}}

jobs.<job_id>.strategy.matrix.include

Usejobs.<job_id>.strategy.matrix.includeto expand existing matrix configurations or to add new configurations. The value ofincludeis a list of objects.

For each object in theincludelist, the key:value pairs in the object will be added to each of the matrix combinations if none of the key:value pairs overwrite any of the original matrix values. If the object cannot be added to any of the matrix combinations, a new matrix combination will be created instead. Note that the original matrix values will not be overwritten, but added matrix values can be overwritten.

For example, this matrix:

strategy:
matrix:
fruit:[apple,pear]
animal:[cat,dog]
include:
-color:green
-color:pink
animal:cat
-fruit:apple
shape:circle
-fruit:banana
-fruit:banana
animal:cat

will result in six jobs with the following matrix combinations:

• {fruit: apple, animal: cat, color: pink, shape: circle}
• {fruit: apple, animal: dog, color: green, shape: circle}
• {fruit: pear, animal: cat, color: pink}
• {fruit: pear, animal: dog, color: green}
• {fruit: banana}
• {fruit: banana, animal: cat}

following this logic:

• {color: green}is added to all of the original matrix combinations because it can be added without overwriting any part of the original combinations.
• {color: pink, animal: cat}addscolor:pinkonly to the original matrix combinations that includeanimal: cat.This overwrites thecolor: greenthat was added by the previousincludeentry.
• {fruit: apple, shape: circle}addsshape: circleonly to the original matrix combinations that includefruit: apple.
• {fruit: banana}cannot be added to any original matrix combination without overwriting a value, so it is added as an additional matrix combination.
• {fruit: banana, animal: cat}cannot be added to any original matrix combination without overwriting a value, so it is added as an additional matrix combination. It does not add to the{fruit: banana}matrix combination because that combination was not one of the original matrix combinations.

Example: Expanding configurations

For example, the following workflow will run four jobs, one for each combination ofosandnode.When the job for theosvalue ofwindows-latestandnodevalue of16runs, an additional variable callednpmwith the value of6will be included in the job.

jobs:
example_matrix:
strategy:
matrix:
os:[windows-latest,ubuntu-latest]
node:[14,16]
include:
-os:windows-latest
node:16
npm:6
runs-on:${{matrix.os}}
steps:
-uses:actions/setup-node@v4
with:
node-version:${{matrix.node}}
-if:${{matrix.npm}}
run:npminstall-gnpm@${{matrix.npm}}
-run:npm--version

Example: Adding configurations

For example, this matrix will run 10 jobs, one for each combination ofosandversionin the matrix, plus a job for theosvalue ofwindows-latestandversionvalue of17.

jobs:
example_matrix:
strategy:
matrix:
os:[macos-latest,windows-latest,ubuntu-latest]
version:[12,14,16]
include:
-os:windows-latest
version:17

If you don't specify any matrix variables, all configurations underincludewill run. For example, the following workflow would run two jobs, one for eachincludeentry. This lets you take advantage of the matrix strategy without having a fully populated matrix.

jobs:
includes_only:
runs-on:ubuntu-latest
strategy:
matrix:
include:
-site:"production"
datacenter:"site-a"
-site:"staging"
datacenter:"site-b"

jobs.<job_id>.strategy.matrix.exclude

To remove specific configurations defined in the matrix, usejobs.<job_id>.strategy.matrix.exclude.An excluded configuration only has to be a partial match for it to be excluded. For example, the following workflow will run nine jobs: one job for each of the 12 configurations, minus the one excluded job that matches{os: macos-latest, version: 12, environment: production},and the two excluded jobs that match{os: windows-latest, version: 16}.

strategy:
matrix:
os:[macos-latest,windows-latest]
version:[12,14,16]
environment:[staging,production]
exclude:
-os:macos-latest
version:12
environment:production
-os:windows-latest
version:16
runs-on:${{matrix.os}}

jobs.<job_id>.strategy.fail-fast

You can control how job failures are handled withjobs.<job_id>.strategy.fail-fastandjobs.<job_id>.continue-on-error.

jobs.<job_id>.strategy.fail-fastapplies to the entire matrix. Ifjobs.<job_id>.strategy.fail-fastis set totrueor its expression evaluates totrue,GitHub will cancel all in-progress and queued jobs in the matrix if any job in the matrix fails. This property defaults totrue.

jobs.<job_id>.continue-on-errorapplies to a single job. Ifjobs.<job_id>.continue-on-erroristrue,other jobs in the matrix will continue running even if the job withjobs.<job_id>.continue-on-error: truefails.

You can usejobs.<job_id>.strategy.fail-fastandjobs.<job_id>.continue-on-errortogether. For example, the following workflow will start four jobs. For each job,continue-on-erroris determined by the value ofmatrix.experimental.If any of the jobs withcontinue-on-error: falsefail, all jobs that are in progress or queued will be cancelled. If the job withcontinue-on-error: truefails, the other jobs will not be affected.

jobs:
test:
runs-on:ubuntu-latest
continue-on-error:${{matrix.experimental}}
strategy:
fail-fast:true
matrix:
version:[6,7,8]
experimental:[false]
include:
-version:9
experimental:true

jobs.<job_id>.strategy.max-parallel

By default, GitHub will maximize the number of jobs run in parallel depending on runner availability. To set the maximum number of jobs that can run simultaneously when using amatrixjob strategy, usejobs.<job_id>.strategy.max-parallel.

For example, the following workflow will run a maximum of two jobs at a time, even if there are runners available to run all six jobs at once.

jobs:
example_matrix:
strategy:
max-parallel:2
matrix:
version:[10,12,14]
os:[ubuntu-latest,windows-latest]

jobs.<job_id>.continue-on-error

Prevents a workflow run from failing when a job fails. Set totrueto allow a workflow run to pass when this job fails.

Example: Preventing a specific failing matrix job from failing a workflow run

You can allow specific jobs in a job matrix to fail without failing the workflow run. For example, if you wanted to only allow an experimental job withnodeset to15to fail without failing the workflow run.

runs-on:${{matrix.os}}
continue-on-error:${{matrix.experimental}}
strategy:
fail-fast:false
matrix:
node:[13,14]
os:[macos-latest,ubuntu-latest]
experimental:[false]
include:
-node:15
os:ubuntu-latest
experimental:true

jobs.<job_id>.container

Usejobs.<job_id>.containerto create a container to run any steps in a job that don't already specify a container. If you have steps that use both script and container actions, the container actions will run as sibling containers on the same network with the same volume mounts.

If you do not set acontainer,all steps will run directly on the host specified byruns-onunless a step refers to an action configured to run in a container.

Example: Running a job within a container

name: CI
on:
push:
branches: [ main ]
jobs:
container-test-job:
runs-on: ubuntu-latest
container:
image: node:18
env:
NODE_ENV: development
ports:
- 80
volumes:
- my_docker_volume:/volume_mount
options: --cpus 1
steps:
- name: Check for dockerenv file
run: (ls /.dockerenv && echo Found dockerenv) || (echo No dockerenv)

name:CI
on:
push:
branches:[main]
jobs:
container-test-job:
runs-on:ubuntu-latest
container:
image:node:18
env:
NODE_ENV:development
ports:
-80
volumes:
-my_docker_volume:/volume_mount
options:--cpus1
steps:
-name:Checkfordockerenvfile
run:(ls/.dockerenv&&echoFounddockerenv)||(echoNodockerenv)

When you only specify a container image, you can omit theimagekeyword.

jobs:
container-test-job:
runs-on:ubuntu-latest
container:node:18

jobs.<job_id>.container.image

Usejobs.<job_id>.container.imageto define the Docker image to use as the container to run the action. The value can be the Docker Hub image name or a registry name.

jobs.<job_id>.container.credentials

If the image's container registry requires authentication to pull the image, you can usejobs.<job_id>.container.credentialsto set amapof theusernameandpassword.The credentials are the same values that you would provide to thedocker logincommand.

Example: Defining credentials for a container registry

container:
image:ghcr.io/owner/image
credentials:
username:${{github.actor}}
password:${{secrets.github_token}}

jobs.<job_id>.container.env

Usejobs.<job_id>.container.envto set amapof environment variables in the container.

jobs.<job_id>.container.ports

Usejobs.<job_id>.container.portsto set anarrayof ports to expose on the container.

jobs.<job_id>.container.volumes

Usejobs.<job_id>.container.volumesto set anarrayof volumes for the container to use. You can use volumes to share data between services or other steps in a job. You can specify named Docker volumes, anonymous Docker volumes, or bind mounts on the host.

To specify a volume, you specify the source and destination path:

<source>:<destinationPath>.

The<source>is a volume name or an absolute path on the host machine, and<destinationPath>is an absolute path in the container.

Example: Mounting volumes in a container

volumes:
-my_docker_volume:/volume_mount
-/data/my_data
-/source/directory:/destination/directory

jobs.<job_id>.container.options

Usejobs.<job_id>.container.optionsto configure additional Docker container resource options. For a list of options, see "docker createoptions."

jobs.<job_id>.services

Used to host service containers for a job in a workflow. Service containers are useful for creating databases or cache services like Redis. The runner automatically creates a Docker network and manages the life cycle of the service containers.

If you configure your job to run in a container, or your step uses container actions, you don't need to map ports to access the service or action. Docker automatically exposes all ports between containers on the same Docker user-defined bridge network. You can directly reference the service container by its hostname. The hostname is automatically mapped to the label name you configure for the service in the workflow.

If you configure the job to run directly on the runner machine and your step doesn't use a container action, you must map any required Docker service container ports to the Docker host (the runner machine). You can access the service container using localhost and the mapped port.

For more information about the differences between networking service containers, see "About service containers."

Example: Using localhost

This example creates two services: nginx and redis. When you specify the container port but not the host port, the container port is randomly assigned to a free port on the host. GitHub sets the assigned host port in the${{job.services.<service_name>.ports}}context. In this example, you can access the service host ports using the${{ job.services.nginx.ports['80'] }}and${{ job.services.redis.ports['6379'] }}contexts.

services:
nginx:
image:nginx
# Map port 8080 on the Docker host to port 80 on the nginx container
ports:
-8080:80
redis:
image:redis
# Map random free TCP port on Docker host to port 6379 on redis container
ports:
-6379/tcp
steps:
-run:|
echo "Redis available on 127.0.0.1:${{ job.services.redis.ports['6379'] }}"
echo "Nginx available on 127.0.0.1:${{ job.services.nginx.ports['80'] }}"

jobs.<job_id>.services.<service_id>.image

The Docker image to use as the service container to run the action. The value can be the Docker Hub image name or a registry name.

Ifjobs.<job_id>.services.<service_id>.imageis assigned an empty string, the service will not start. You can use this to set up conditional services, similar to the following example.

services:
nginx:
image:${{options.nginx==true&&'nginx'||''}}

jobs.<job_id>.services.<service_id>.credentials

If the image's container registry requires authentication to pull the image, you can usejobs.<job_id>.container.credentialsto set amapof theusernameandpassword.The credentials are the same values that you would provide to thedocker logincommand.

Example ofjobs.<job_id>.services.<service_id>.credentials

services:
myservice1:
image:ghcr.io/owner/myservice1
credentials:
username:${{github.actor}}
password:${{secrets.github_token}}
myservice2:
image:dockerhub_org/myservice2
credentials:
username:${{secrets.DOCKER_USER}}
password:${{secrets.DOCKER_PASSWORD}}

jobs.<job_id>.services.<service_id>.env

Sets amapof environment variables in the service container.

jobs.<job_id>.services.<service_id>.ports

Sets anarrayof ports to expose on the service container.

jobs.<job_id>.services.<service_id>.volumes

Sets anarrayof volumes for the service container to use. You can use volumes to share data between services or other steps in a job. You can specify named Docker volumes, anonymous Docker volumes, or bind mounts on the host.

To specify a volume, you specify the source and destination path:

<source>:<destinationPath>.

The<source>is a volume name or an absolute path on the host machine, and<destinationPath>is an absolute path in the container.

Example ofjobs.<job_id>.services.<service_id>.volumes

volumes:
-my_docker_volume:/volume_mount
-/data/my_data
-/source/directory:/destination/directory

jobs.<job_id>.services.<service_id>.options

Additional Docker container resource options. For a list of options, see "docker createoptions."

jobs.<job_id>.uses

The location and version of a reusable workflow file to run as a job. Use one of the following syntaxes:

• {owner}/{repo}/.github/workflows/{filename}@{ref}for reusable workflows in public and private repositories.
• ./.github/workflows/{filename}for reusable workflows in the same repository.

In the first option,{ref}can be a SHA, a release tag, or a branch name. If a release tag and a branch have the same name, the release tag takes precedence over the branch name. Using the commit SHA is the safest option for stability and security. For more information, see "Security hardening for GitHub Actions."

If you use the second syntax option (without{owner}/{repo}and@{ref}) the called workflow is from the same commit as the caller workflow. Ref prefixes such asrefs/headsandrefs/tagsare not allowed. You cannot use contexts or expressions in this keyword.

Example ofjobs.<job_id>.uses

jobs:
call-workflow-1-in-local-repo:
uses:octo-org/this-repo/.github/workflows/workflow-1.yml@172239021f7ba04fe7327647b213799853a9eb89
call-workflow-2-in-local-repo:
uses:./.github/workflows/workflow-2.yml
call-workflow-in-another-repo:
uses:octo-org/another-repo/.github/workflows/workflow.yml@v1

For more information, see "Reusing workflows."

jobs.<job_id>.with

When a job is used to call a reusable workflow, you can usewithto provide a map of inputs that are passed to the called workflow.

Any inputs that you pass must match the input specifications defined in the called workflow.

Unlikejobs.<job_id>.steps[*].with,the inputs you pass withjobs.<job_id>.withare not available as environment variables in the called workflow. Instead, you can reference the inputs by using theinputscontext.

Example ofjobs.<job_id>.with

jobs:
call-workflow:
uses:octo-org/example-repo/.github/workflows/called-workflow.yml@main
with:
username:mona

jobs.<job_id>.with.<input_id>

A pair consisting of a string identifier for the input and the value of the input. The identifier must match the name of an input defined byon.workflow_call.inputs.<inputs_id>in the called workflow. The data type of the value must match the type defined byon.workflow_call.inputs.<input_id>.typein the called workflow.

Allowed expression contexts:github,andneeds.

jobs.<job_id>.secrets

When a job is used to call a reusable workflow, you can usesecretsto provide a map of secrets that are passed to the called workflow.

Any secrets that you pass must match the names defined in the called workflow.

Example ofjobs.<job_id>.secrets

jobs:
call-workflow:
uses:octo-org/example-repo/.github/workflows/called-workflow.yml@main
secrets:
access-token:${{secrets.PERSONAL_ACCESS_TOKEN}}

jobs.<job_id>.secrets.inherit

Use theinheritkeyword to pass all the calling workflow's secrets to the called workflow. This includes all secrets the calling workflow has access to, namely organization, repository, and environment secrets. Theinheritkeyword can be used to pass secrets across repositories within the same organization, or across organizations within the same enterprise.

Example ofjobs.<job_id>.secrets.inherit

on:
workflow_dispatch:

jobs:
pass-secrets-to-workflow:
uses:./.github/workflows/called-workflow.yml
secrets:inherit

on:
workflow_call:

jobs:
pass-secret-to-action:
runs-on:ubuntu-latest
steps:
-name:Usearepoororgsecretfromthecallingworkflow.
run:echo${{secrets.CALLING_WORKFLOW_SECRET}}

jobs.<job_id>.secrets.<secret_id>

A pair consisting of a string identifier for the secret and the value of the secret. The identifier must match the name of a secret defined byon.workflow_call.secrets.<secret_id>in the called workflow.

Allowed expression contexts:github,needs,andsecrets.

Filter pattern cheat sheet

You can use special characters in path, branch, and tag filters.

• *:Matches zero or more characters, but does not match the/character. For example,Octo*matchesOctocat.
• **:Matches zero or more of any character.
• ?:Matches zero or one of the preceding character.
• +:Matches one or more of the preceding character.
• []Matches one Alpha numeric character listed in the brackets or included in ranges. Ranges can only includea-z,A-Z,and0-9.For example, the range[0-9a-z]matches any digit or lowercase letter. For example,[CB]atmatchesCatorBatand[1-2]00matches100and200.
• !:At the start of a pattern makes it negate previous positive patterns. It has no special meaning if not the first character.

The characters*,[,and!are special characters in YAML. If you start a pattern with*,[,or!,you must enclose the pattern in quotes. Also, if you use aflow sequencewith a pattern containing[and/or],the pattern must be enclosed in quotes.

# Valid
paths:
-'**/README.md'

# Invalid - creates a parse error that
# prevents your workflow from running.
paths:
-**/README.md

# Valid
branches:[main,'release/v[0-9].[0-9]']

# Invalid - creates a parse error
branches:[main,release/v[0-9].[0-9] ]

For more information about branch, tag, and path filter syntax, see "on.<push>.<branches|tags>","on.<pull_request>.<branches|tags>",and"on.<push|pull_request>.paths."

Patterns to match branches and tags

Patterns to match file paths

Path patterns must match the whole path, and start from the repository's root.