DOC_INDEX
THEME
DOCS/Getting Started/OrchStep in CI

OrchStep in CI

Run the same orchstep.yml locally and in CI - GitHub Actions and GitLab, with plain logs, exit codes, and inline failure annotations

The whole point of a single static binary is that the workflow you run on your laptop runs byte-for-byte the same in CI. There's nothing to install differently - curl | sh the binary (or use the official actions) and run the same orchstep.yml.

CI gets the machine-friendly behavior automatically: piped output is plain (no emoji/boxes), failures follow a documented exit-code contract, and on GitHub the failure shows up as an inline ::error annotation.

GitHub Actions

Two official actions: orchstep/setup-orchstep installs the CLI, orchstep/run-orchstep installs and runs in one step.

One step (install + run)

name: orchstep
on: [push, pull_request]
jobs:
  run:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: orchstep/run-orchstep@v1
        with:
          workflow: orchstep.yml
          task: ci            # default: the main task

A failed run fails the job, prints plain logs in the run, and adds an inline ::error annotation pointing at the offending file/line.

Install once, run several tasks

steps:
  - uses: actions/checkout@v4
  - uses: orchstep/setup-orchstep@v1
    with:
      version: latest         # or a pinned semver
  - run: orchstep lint
  - run: orchstep run build
  - run: orchstep run deploy --env staging

Structured result for later steps

Keep the readable logs and capture a machine-readable result:

  - uses: orchstep/run-orchstep@v1
    with:
      workflow: orchstep.yml
      task: deploy
      json-file: result.json   # logs stream to the run; result written to a file
  - run: jq -r '.status' result.json

run-orchstep also exposes exit-code and summary outputs, and writes a collapsible step summary to the job page.

Reproducible module supply chain

Commit your orchstep.lock and gate the build so a force-moved module tag fails CI instead of silently changing what runs:

  - uses: orchstep/setup-orchstep@v1
  - run: orchstep module verify   # exits non-zero on supply-chain drift
  - run: orchstep run deploy

GitLab CI

No action needed - install the binary and run:

orchstep:
  image: alpine:latest
  before_script:
    - apk add --no-cache curl bash git
    - curl -fsSL https://orchstep.dev/install.sh | sh
  script:
    - orchstep module verify
    - orchstep run ci --output plain

--output plain is explicit here; OrchStep would auto-detect it anyway since the GitLab job log is not a TTY.

Exit codes in any CI

Branch on the kind of failure, not just pass/fail:

CodeMeaning
0success
1a task/step failed
3the workflow itself is broken (bad key, unmet required.orchstep, missing file)
4an assert step failed

See Output & Exit Codes for the full contract and JSON shape.