Managing workflows

Note: GitHub Actions is currently available in public beta, which means you should avoid using it for high-value workflows and content during this beta period.

Features and requirements may change at any time during this period. You can request to join the public beta on the GitHub Actions page. If you're participating in the beta, please contact support if you have any questions.

Workflows are a composite of many different GitHub Actions, or tasks you want to accomplish, and are triggered by webhook events. To create a workflow, you will add one or more workflow blocks to the .github/main.workflow file. Each workflow block will contain any number of Actions you want performed when specified during your workflow.

If you are using your OAuth App with GitHub Actions, GitHub prevents the app from creating or editing Actions workflow files to help keep your repository secure. GitHub Apps can only add or update .github/main.workflow when the entire new workflow file content matches an existing workflow file on another branch in the same repository. These restrictions help protect your repository by preventing:

  • Malicious workflows from exposing your secrets.
  • Unintended access to the repository's $GITHUB_TOKEN which may have more privileges than the app authoring the workflow.

For more on workflows, see "Creating a workflow with GitHub Actions" and "Viewing your repository's workflow" in the GitHub Help documentation.

Creating and cancelling a workflow

Using the visual or file editor, you can create a workflow that contains GitHub Actions, and their relationships to each other. Once you've created a .github/main.workflow file, you need to add workflow and actions blocks.

Workflow configuration options

The workflow configuration options provide the details you need to complete the workflow and actions blocks.

Storing secrets

You can store encrypted secrets in the visual workflow editor or the repository settings and choose which actions within a workflow file will have access to the decrypted values. Production secrets should not be stored in the API during the limited public beta period.

Triggering a repository dispatch webhook

You can use the repository dispatch webhook to trigger workflows from external systems that don't map to one of GitHub's event types.