Skip to main content

GitHub Actions templates for deploying to Astro from private networks


The Astro GitHub integration can automatically deploy code from a GitHub repository to Astro without you needing to configure a GitHub action. In addition, the Astro UI shows Git metadata for each deploy on your Deployment information screen. See Deploy code with the Astro GitHub integration for setup steps.

If you don't have access to the Astronomer deploy action because you can't access the public internet from your GitHub repository, use one of the following private network templates to deploy to Astro.

Read the following sections to choose the right template for your use case. If you have one Deployment and one environment on Astro, use the single branch implementation. If you have multiple Deployments that support development and production environments, use the multiple branch implementation. If your team builds custom Docker images, use the custom image implementation.

You can configure your CI/CD pipelines to deploy a full project image or your dags directory. To learn more about CI/CD on Astro, see Choose a CI/CD strategy.


If you use a self-hosted runner to execute jobs from GitHub Actions, the Astro CLI's config.yaml file, which stores default deploy details, might be shared across your organization and hence multiple CI/CD pipelines. To reduce the risk of accidentally deploying to the wrong Deployment, ensure the following:

  • Add ASTRO_API_TOKEN to your repository and include a check in your GitHub workflow to verify that it exists.
  • Use Deployment API tokens, which are scoped only to one Deployment, instead of Workspace or Organization API tokens.
  • Specify deployment-id or deployment-name in your action. For example, astro deploy <deployment-id> or astro deploy -n <deployment-name>.
  • Add the command astro logout at the end of your workflow to ensure that your authentication token is cleared from the config.yaml file.



To automate code deploys to a Deployment using GitHub Actions, complete the following setup in a Git-based repository that hosts an Astro project:

  1. Set the following as GitHub secrets:

    • ASTRO_API_TOKEN: The value for your Workspace or Organization API token.
  2. In your project repository, create a new YAML file in .github/workflows that includes the following configuration. When you make a commit to a specified branch, this workflow sets your Deployment API credentials as environment variables, installs the latest version of the Astro CLI, checks to see if your dags folder has changes, and then either completes a full code deploy or a DAG-only code deploy.

    name: Astronomer CI - Deploy code

    - main

    ## Sets Deployment API credentials as environment variables

    runs-on: ubuntu-latest # add the appropriate image
    # Install the Astro CLI (current version)
    - name: checkout repo
    uses: actions/checkout@v3
    fetch-depth: 2
    clean: false
    - name: Install the CLI
    run: curl -sSL | sudo bash -s
    # Determine if only DAG files have changes
    - name: Deploy to Astronomer
    run: |
    files=$(git diff --name-only $(git rev-parse HEAD~1) -- .)
    for file in $files; do
    if [[ $file != dags/* ]]; then
    echo "$file is not a dag, triggering a full image build"
    ### If only DAGs changed deploy only the DAGs in your 'dags' folder to your Deployment
    if [ $dags_only == 1 ]
    astro deploy --dags
    ### If any other files changed build your Astro project into a Docker image, push the image to your Deployment, and then push and DAG changes
    if [ $dags_only == 0 ]
    astro deploy

Was this page helpful?

Sign up for Developer Updates

Get a summary of new Astro features once a month.

You can unsubscribe at any time.
By proceeding you agree to our Privacy Policy, our Website Terms and to receive emails from Astronomer.