[/sandbox/*
+ ```
## Token claim reference
diff --git a/content/ci/overview.mdx b/content/ci/overview.mdx
index 595165e..4b1eb08 100644
--- a/content/ci/overview.mdx
+++ b/content/ci/overview.mdx
@@ -80,7 +80,7 @@ Your original `.github/` workflows continue running on GitHub in parallel until
]
- - [Run a workflow against your local working tree](/docs/ci/how-to-guides/manage-workflow-runs#run-against-uncommitted-changes) without pushing to GitHub first.
+ - [Run a workflow against your local working tree](/docs/ci/how-to-guides/manage-workflow-runs#run-workflows-with-local-changes) without pushing to GitHub first.
- Uncommitted changes are automatically patched into the job after checkout.
- Pass
--job to run a subset of jobs.
diff --git a/content/cli/authentication.mdx b/content/cli/authentication.mdx
index a6554c2..ab20d42 100644
--- a/content/cli/authentication.mdx
+++ b/content/cli/authentication.mdx
@@ -8,16 +8,16 @@ The Depot CLI supports token-based authentication and OIDC trust relationships f
## Tokens
-Depot supports [Organization](#organization-tokens), [Project](#project-tokens), and [User](#user-access-tokens) tokens. Each token type grants full access to different Depot services depending on its scope:
+Depot supports [Organization](#organization-tokens), [Project](#project-tokens), [User](#user-access-tokens), and [Pull](#pull-tokens) tokens. Each token type grants full access to different Depot services depending on its scope:
-| Service | User token | Organization token | Project token |
-| ---------------- | ---------- | ------------------ | ------------------- |
-| Container Builds | ✅ | ✅ | ✅ (project-scoped) |
-| Registry | ✅ | ✅ | ✅ (project-scoped) |
-| Depot CI | ✅ | ✅ | — |
-| Cache | ✅ | ✅ | — |
-| Agents | ✅ | ✅ | — |
-| API | ✅ | ✅ | — |
+| Service | User token | Organization token | Project token | Pull token |
+| ---------------- | ---------- | ------------------ | ------------------- | -------------- |
+| Container Builds | ✅ | ✅ | ✅ (project-scoped) | — |
+| Registry | ✅ | ✅ | ✅ (project-scoped) | ✅ (read-only) |
+| Depot CI | ✅ | ✅ | — | — |
+| Cache | ✅ | ✅ | — | — |
+| Agents | ✅ | ✅ | — | — |
+| API | ✅ | ✅ | — | — |
### User access tokens
@@ -53,6 +53,18 @@ To generate a project token:
4. Under **Project Tokens**, enter a token description and click **Create token**.
5. Copy the token and save it securely. You won't be able to retrieve the value again from the dashboard.
+### Pull tokens
+
+Pull tokens are short-lived, read-only tokens scoped to the Depot Registry. They grant pull access only and cannot be used to push images or authenticate any other Depot service. Use them in environments that only need to pull images, like production deployments or CI jobs pulling base images.
+
+Generate a pull token with the Depot CLI:
+
+```shell
+depot pull-token --project
+```
+
+Pull tokens expire automatically and are not listed or manageable from the dashboard.
+
### Token resolution
Most Depot CLI commands accept the `--token` flag, which lets you pass an organization, user, or project token directly. The CLI resolves tokens in the following order:
diff --git a/content/cli/reference/depot-ci.mdx b/content/cli/reference/depot-ci.mdx
index 6f841dd..ebd1379 100644
--- a/content/cli/reference/depot-ci.mdx
+++ b/content/cli/reference/depot-ci.mdx
@@ -1,7 +1,7 @@
---
title: 'Depot CLI: Depot CI commands reference'
ogTitle: 'Depot CLI: Depot CI commands reference'
-description: Reference for all Depot CI CLI commands, including migrate, run, ssh, secrets, vars, status, and logs.
+description: Reference for the Depot CI CLI commands for migrating workflows, triggering and monitoring runs, managing secrets and variables, and debugging jobs over SSH.
---
Reference for all `depot ci` commands. To install the Depot CLI, see [Installation](/docs/cli/installation).
@@ -66,7 +66,7 @@ Copies workflows from `.github/workflows/` into `.depot/workflows/`, applying De
depot ci migrate workflows
```
-#### What the command does
+#### What `depot ci migrate workflows` does
1. Discovers all workflow files in `.github/workflows/`.
2. Analyzes each workflow for compatibility with Depot CI.
@@ -178,9 +178,15 @@ depot ci run --workflow .depot/workflows/ci.yml --job build --ssh-after-step 3
Both `--ssh` and `--ssh-after-step` require exactly one `--job` to be specified.
+### What `depot ci run` does
+
+When you run `depot ci run` with local changes, the CLI automatically detects the changes and uploads a patch. For any job that has an `actions/checkout` step, the CLI injects a step into each job to apply that patch after checkout. The run reflects your local state without requiring a push. For branches that exist on the remote, the patch contains only unpushed changes. For local-only branches, the patch is relative to the default branch.
+
+Each time you run `depot ci run` locally, the CLI uploads a fresh patch, so you can keep iterating until the workflow passes.
+
---
-## `depot ci run list`
+### `depot ci run list`
Lists CI runs for your organization. By default returns the 50 most recent queued and running runs.
@@ -190,29 +196,293 @@ depot ci run list
Alias: `depot ci run ls`.
-### Flags
+#### Flags
-| Flag | Description |
-| ------------------- | ------------------------------------------------------------------------------------------------- |
-| `--status ` | Filter by status; can be repeated. Values: `queued`, `running`, `finished`, `failed`, `cancelled` |
-| `-n ` | Number of runs to return (default: `50`) |
-| `--output json` | Output as JSON instead of a table |
-| `--org ` | Organization ID (required when user is a member of multiple organizations) |
-| `--token ` | Depot API token |
+| Flag | Description |
+| --------------------- | ------------------------------------------------------------------------------------------------- |
+| `--status ` | Filter by status; can be repeated. Values: `queued`, `running`, `finished`, `failed`, `cancelled` |
+| `--repo ` | Filter by repository |
+| `--sha ` | Filter by commit SHA prefix |
+| `--trigger ` | Filter by trigger event, for example `push` or `workflow_dispatch` |
+| `--pr ` | Filter by pull request number (requires `--repo`) |
+| `-n ` | Number of runs to return (default: `50`) |
+| `--output json` | Output as JSON instead of a table |
+| `--org ` | Organization ID (required when user is a member of multiple organizations) |
+| `--token ` | Depot API token |
-### Examples
+#### Examples
+
+##### List failed runs:
```bash
-# List failed runs
depot ci run list --status failed
+```
+
+##### List failed runs for a pull request:
+
+```bash
+depot ci run list --repo depot/api --status failed --pr 42
+```
-# List finished and failed runs
+##### List workflow dispatch runs:
+
+```bash
+depot ci run list --trigger workflow_dispatch
+```
+
+##### List finished and failed runs:
+
+```bash
depot ci run list --status finished --status failed
+```
+
+##### List the 5 most recent runs:
-# List the 5 most recent runs
+```bash
depot ci run list -n 5
```
+##### List runs as JSON:
+
+```bash
+depot ci run list --output json
+```
+
+JSON response:
+
+```json
+[
+ {
+ "run_id": "",
+ "repo": "depot/demo-app",
+ "trigger": "push",
+ "sha": "abc123def456",
+ "status": "finished",
+ "created_at": "2026-04-23T14:30:45Z"
+ }
+]
+```
+
+The `status` field is a string: `queued`, `running`, `finished`, `failed`, or `cancelled`.
+
+---
+
+## `depot ci workflow`
+
+Manages CI workflows.
+
+### `depot ci workflow list`
+
+Lists recent CI workflow runs for your organization. By default returns the 50 most recent.
+
+```bash
+depot ci workflow list
+```
+
+Alias: `depot ci workflow ls`.
+
+#### Flags
+
+| Flag | Description |
+| --------------------- | ------------------------------------------------------------------------------------------------- |
+| `-n ` | Number of recent workflows to return (default: `50`, max: `200`) |
+| `--name ` | Filter by workflow name |
+| `--repo ` | Filter by repository in `owner/name` format |
+| `--status ` | Filter by status; can be repeated. Values: `queued`, `running`, `finished`, `failed`, `cancelled` |
+| `--trigger ` | Filter by trigger event, for example `push` or `workflow_dispatch` |
+| `--sha ` | Filter by head SHA prefix |
+| `--pr ` | Filter by pull request number |
+| `--output json` | Output as JSON instead of a table |
+| `--org ` | Organization ID (required when user is a member of multiple organizations) |
+| `--token ` | Depot API token |
+
+#### Examples
+
+##### List recent workflows:
+
+```bash
+depot ci workflow list
+```
+
+##### List the 5 most recent workflows:
+
+```bash
+depot ci workflow list -n 5
+```
+
+##### Filter by workflow name:
+
+```bash
+depot ci workflow list --name deploy
+```
+
+##### Filter workflows by repo, status, and SHA:
+
+```bash
+depot ci workflow list --repo depot/api --status failed --sha abc123
+```
+
+##### List workflows as JSON:
+
+```bash
+depot ci workflow list --output json
+```
+
+JSON response:
+
+```json
+[
+ {
+ "workflow_id": "",
+ "name": "CI",
+ "workflow_path": ".depot/workflows/ci.yml",
+ "repo": "depot/api",
+ "status": "finished",
+ "trigger": "push",
+ "run_id": "",
+ "sha": "",
+ "head_sha": "",
+ "created_at": "2026-04-28T12:00:00Z",
+ "job_counts": {
+ "total": 5,
+ "queued": 0,
+ "waiting": 0,
+ "running": 0,
+ "finished": 5,
+ "failed": 0,
+ "cancelled": 0,
+ "skipped": 0
+ }
+ }
+]
+```
+
+The `status` field is a string: `queued`, `running`, `finished`, `failed`, or `cancelled`.
+
+---
+
+### `depot ci workflow show`
+
+Shows a CI workflow, including the parent run context, executions, jobs, and per-job attempt details.
+
+```bash
+depot ci workflow show
+```
+
+Alias: `depot ci workflow get`.
+
+#### Flags
+
+| Flag | Description |
+| ----------------- | -------------------------------------------------------------------------- |
+| `--output json` | Output as JSON instead of a table |
+| `--org ` | Organization ID (required when user is a member of multiple organizations) |
+| `--token ` | Depot API token |
+
+#### Examples
+
+##### Show a workflow:
+
+```bash
+depot ci workflow show
+```
+
+The command prints:
+
+- Org, repo, run ID with status, workflow ID with status, name, path, ref, SHA, and trigger.
+- Each execution with its status, start time, finish time, and duration.
+- Each job with its status and duration. For each job, the latest attempt's ID, status, sandbox ID, session ID, and a ready-to-run `depot ci logs` command are shown. If the job has more than one attempt, all attempts are listed.
+
+##### Show a workflow as JSON:
+
+```bash
+depot ci workflow show --output json
+```
+
+JSON response:
+
+```json
+{
+ "org_id": "",
+ "run": {
+ "run_id": "",
+ "repo": "depot/api",
+ "ref": "refs/heads/main",
+ "sha": "",
+ "head_sha": "",
+ "trigger": "push",
+ "status": "failed",
+ "created_at": "2026-04-30T14:01:00Z",
+ "started_at": "2026-04-30T14:02:00Z",
+ "finished_at": "2026-04-30T14:25:15Z"
+ },
+ "workflow": {
+ "workflow_id": "",
+ "name": "CI",
+ "workflow_path": ".depot/workflows/ci.yml",
+ "status": "failed",
+ "error_message": "tests failed",
+ "created_at": "2026-04-30T14:01:05Z",
+ "started_at": "2026-04-30T14:02:11Z",
+ "finished_at": "2026-04-30T14:25:15Z"
+ },
+ "executions": [...],
+ "jobs": [...]
+}
+```
+
+---
+
+## `depot ci dispatch`
+
+Triggers a workflow via `workflow_dispatch`. Inputs are validated against the workflow's declared input schema, so required inputs must be supplied and typed inputs (`boolean`, `number`, `choice`) are coerced on the server.
+
+```bash
+depot ci dispatch --repo --workflow --ref
+```
+
+**Note**: `--workflow` takes the workflow file's basename (for example `deploy.yml`), not the full repo path `.depot/workflows/deploy.yml`.
+
+### Flags
+
+| Flag | Description |
+| ----------------------- | ------------------------------------------------------------------------------ |
+| `--repo ` | Target GitHub repository (required) |
+| `--workflow ` | Workflow file basename (required), for example `deploy.yml`, not the full path |
+| `--ref ` | Branch or tag name to run the workflow on (required) |
+| `--input =` | Workflow input as `key=value`; repeat for multiple inputs |
+| `--output json` | Output the RPC response as JSON |
+| `--org ` | Organization ID (required when user is a member of multiple organizations) |
+| `--token ` | Depot API token |
+
+### Examples
+
+#### Dispatch a workflow on the main branch
+
+```bash
+depot ci dispatch --repo depot/demo-app --workflow deploy.yml --ref main
+```
+
+```bash
+depot ci dispatch --repo depot/demo-app --workflow deploy.yml --ref main --output json
+```
+
+JSON response:
+
+```json
+{
+ "org_id": "",
+ "run_id": ""
+}
+```
+
+#### Pass inputs
+
+```bash
+depot ci dispatch --repo depot/demo-app --workflow deploy.yml --ref main \
+ --input environment=staging --input dry_run=true
+```
+
---
## `depot ci status`
@@ -239,6 +509,199 @@ Replace `` with the run ID returned by `depot ci run` or visible in the
---
+## `depot ci cancel`
+
+Cancels a queued or running workflow (all its jobs), or a single job within a workflow.
+
+```bash
+depot ci cancel --workflow
+depot ci cancel --job
+```
+
+Exactly one of `--workflow` or `--job` must be provided; they are mutually exclusive. When you pass `--job`, the CLI looks up the containing workflow via the run's status, so you do not need to also pass `--workflow`.
+
+Workflows and jobs that have already reached a terminal state (finished, failed, or cancelled) cannot be cancelled and will return an error.
+
+### Flags
+
+| Flag | Description |
+| ----------------- | -------------------------------------------------------------------------- |
+| `--workflow ` | Workflow ID to cancel (mutually exclusive with `--job`) |
+| `--job ` | Job ID to cancel (mutually exclusive with `--workflow`) |
+| `--output json` | Output the RPC response as JSON |
+| `--org ` | Organization ID (required when user is a member of multiple organizations) |
+| `--token ` | Depot API token |
+
+### Examples
+
+#### Cancel an entire workflow (all jobs within it)
+
+```bash
+depot ci cancel --workflow
+```
+
+```bash
+depot ci cancel --workflow --output json
+```
+
+JSON response:
+
+```json
+{"workflow_id": "", "status": "cancelled"}
+```
+
+#### Cancel a single job (workflow is resolved automatically)
+
+```bash
+depot ci cancel --job
+```
+
+```bash
+depot ci cancel --job --output json
+```
+
+JSON response:
+
+```json
+{"job_id": "", "status": "cancelled"}
+```
+
+---
+
+## `depot ci rerun`
+
+Re-runs every job in a workflow that has reached a terminal state. Creates a new attempt for each job.
+
+```bash
+depot ci rerun
+```
+
+If the run contains multiple workflows, pass `--workflow ` to select one. When the run contains a single workflow, the CLI resolves it automatically. Rerunning a workflow that is still running returns a precondition error — cancel it first if you want to restart.
+
+### Flags
+
+| Flag | Description |
+| ----------------- | -------------------------------------------------------------------------- |
+| `--workflow ` | Workflow ID to rerun (required when the run contains multiple workflows) |
+| `--output json` | Output the RPC response as JSON |
+| `--org ` | Organization ID (required when user is a member of multiple organizations) |
+| `--token ` | Depot API token |
+
+### Examples
+
+#### Rerun the workflow in a run
+
+```bash
+depot ci rerun
+```
+
+```bash
+depot ci rerun --output json
+```
+
+JSON response:
+
+```json
+{"workflow_id": "", "job_count": 5}
+```
+
+#### Rerun a specific workflow in a multi-workflow run
+
+```bash
+depot ci rerun --workflow
+```
+
+```bash
+depot ci rerun --workflow --output json
+```
+
+JSON response:
+
+```json
+{"workflow_id": "", "job_count": 5}
+```
+
+---
+
+## `depot ci retry`
+
+Retries a single failed or cancelled job, or every failed and cancelled job in a workflow.
+
+```bash
+depot ci retry --job
+depot ci retry --failed
+```
+
+Requires exactly one of `--job` or `--failed`.
+
+- `--job ` retries a single job. The workflow containing the job is resolved automatically from the run's status.
+- `--failed` retries every failed/cancelled job in the workflow. If the run contains multiple workflows, pass `--workflow `; otherwise the single workflow is resolved automatically.
+
+Each retry creates a new attempt for the selected job(s); the previous attempts are preserved and visible in `depot ci status`.
+
+### Flags
+
+| Flag | Description |
+| ----------------- | ---------------------------------------------------------------------------------- |
+| `--job ` | Job ID to retry (mutually exclusive with `--failed`) |
+| `--failed` | Retry every failed/cancelled job in the workflow (mutually exclusive with `--job`) |
+| `--workflow ` | Workflow ID; required with `--failed` when the run has multiple workflows |
+| `--output json` | Output the RPC response as JSON |
+| `--org ` | Organization ID (required when user is a member of multiple organizations) |
+| `--token ` | Depot API token |
+
+### Examples
+
+#### Retry a single job
+
+```bash
+depot ci retry --job
+```
+
+```bash
+depot ci retry --job --output json
+```
+
+JSON response:
+
+```json
+{"job_id": "", "attempt_id": "", "attempt": 2, "status": "queued"}
+```
+
+#### Retry every failed and cancelled job in the only workflow
+
+```bash
+depot ci retry --failed
+```
+
+```bash
+depot ci retry --failed --output json
+```
+
+JSON response:
+
+```json
+{"workflow_id": "", "job_ids": ["", "..."], "job_count": 3}
+```
+
+#### Retry every failed and cancelled job in a specific workflow
+
+```bash
+depot ci retry --failed --workflow
+```
+
+```bash
+depot ci retry --failed --workflow --output json
+```
+
+JSON response:
+
+```json
+{"workflow_id": "", "job_ids": ["", "..."], "job_count": 3}
+```
+
+---
+
## `depot ci logs`
Fetches and prints the log output for a CI job. Accepts a run ID, job ID, or attempt ID. When given a run or job ID, the command resolves to the latest attempt automatically. Use `--job` and `--workflow` to disambiguate when a run has multiple jobs.
@@ -258,17 +721,27 @@ depot ci logs
### Examples
+#### Fetch logs by attempt ID
+
```bash
-# Fetch logs by attempt ID
depot ci logs
+```
+
+#### Fetch logs for the latest attempt of a run
-# Fetch logs for the latest attempt of a run (single-job workflow)
+```bash
depot ci logs
+```
+
+#### Fetch logs for a specific job in a run
-# Fetch logs for a specific job in a run
+```bash
depot ci logs --job test
+```
+
+#### Disambiguate when job names overlap across workflows
-# Disambiguate with workflow path when job names overlap across workflows
+```bash
depot ci logs --job build --workflow ci.yml
```
@@ -294,20 +767,39 @@ depot ci ssh
### Examples
+#### Connect to a job by job ID
+
```bash
-# Connect to a job by job ID
depot ci ssh
+```
+
+#### Connect to a specific job in a run
-# Connect to a specific job in a run
+```bash
depot ci ssh --job build
+```
-# Print SSH connection details without connecting
+#### Print SSH connection details without connecting
+
+```bash
depot ci ssh --info
+```
-# Print SSH connection details as JSON
+```bash
depot ci ssh --info --output json
```
+JSON response:
+
+```json
+{
+ "host": "api.depot.dev",
+ "sandbox_id": "",
+ "session_id": "",
+ "ssh_command": "ssh @api.depot.dev"
+}
+```
+
---
## `depot ci secrets`
@@ -322,9 +814,9 @@ depot ci secrets add SECRET_NAME
Supports three modes:
-- **Single secret with prompt**: `depot ci secrets add SECRET_NAME` — omit `--value` and the CLI prompts you to enter the value securely (input is hidden).
-- **Single secret with flag**: `depot ci secrets add SECRET_NAME --value "val"`
-- **Bulk KEY=VALUE pairs**: `depot ci secrets add FOO=bar BAZ=qux` — sets multiple secrets in one command. The `--value` and `--description` flags cannot be used in this mode.
+- Single secret with prompt: `depot ci secrets add SECRET_NAME` — omit `--value` and the CLI prompts you to enter the value securely (input is hidden).
+- Single secret with flag: `depot ci secrets add SECRET_NAME --value "val"`
+- Bulk KEY=VALUE pairs: `depot ci secrets add FOO=bar BAZ=qux` — sets multiple secrets in one command. The `--value` and `--description` flags cannot be used in this mode.
| Flag | Description |
| ---------------------- | ------------------------------------------------------------------------------------ |
@@ -334,6 +826,38 @@ Supports three modes:
| `--org ` | Organization ID |
| `--token ` | Depot API token |
+#### Examples
+
+##### Add an org-wide secret (prompts for value):
+
+```bash
+depot ci secrets add MY_API_KEY
+```
+
+##### Add an org-wide secret with value inline:
+
+```bash
+depot ci secrets add MY_API_KEY --value "secret-value"
+```
+
+##### Add a secret with a description:
+
+```bash
+depot ci secrets add MY_API_KEY --value "secret-value" --description "API key for payment provider"
+```
+
+##### Add multiple secrets using KEY=VALUE pairs:
+
+```bash
+depot ci secrets add GITHUB_TOKEN=ghp_xxx MY_API_KEY=secret-value
+```
+
+##### Add a repo-scoped secret:
+
+```bash
+depot ci secrets add DATABASE_URL --repo owner/repo --value "postgres://..."
+```
+
### `depot ci secrets list`
```bash
@@ -349,6 +873,20 @@ Displays names and metadata (no values) for all secrets configured for your orga
| `--org ` | Organization ID |
| `--token ` | Depot API token |
+#### Examples
+
+##### List org-wide secrets:
+
+```bash
+depot ci secrets list
+```
+
+##### List org-wide and repo-scoped secrets together:
+
+```bash
+depot ci secrets list --repo owner/repo
+```
+
### `depot ci secrets remove`
```bash
@@ -357,27 +895,39 @@ depot ci secrets remove SECRET_NAME [SECRET_NAME...]
Alias: `depot ci secrets rm`. Accepts one or more secret names. Prompts for confirmation before deleting.
+| Flag | Description |
+| --------------------- | ------------------------------------------------------------ |
+| `--repo ` | Remove a repo-specific secret instead of the org-wide secret |
+| `--force` | Skip confirmation prompt |
+| `--org ` | Organization ID |
+| `--token ` | Depot API token |
+
+#### Examples
+
+##### Remove a single secret:
+
```bash
-# Remove a single secret
depot ci secrets remove MY_API_KEY
+```
+
+##### Remove a repo-specific secret:
-# Remove a repo-specific secret
+```bash
depot ci secrets remove MY_API_KEY --repo owner/repo
+```
+
+##### Remove multiple secrets at once:
-# Remove multiple secrets at once
+```bash
depot ci secrets remove GITHUB_TOKEN MY_API_KEY DATABASE_URL
+```
+
+##### Remove a secret without confirmation:
-# Remove without confirmation
+```bash
depot ci secrets remove GITHUB_TOKEN MY_API_KEY --force
```
-| Flag | Description |
-| --------------------- | ------------------------------------------------------------ |
-| `--repo ` | Remove a repo-specific secret instead of the org-wide secret |
-| `--force` | Skip confirmation prompt |
-| `--org ` | Organization ID |
-| `--token ` | Depot API token |
-
---
## `depot ci vars`
@@ -392,9 +942,9 @@ depot ci vars add VAR_NAME --value "some-value"
Supports three modes:
-- **Single variable with prompt**: `depot ci vars add VAR_NAME` — omit `--value` and the CLI prompts you to enter the value.
-- **Single variable with flag**: `depot ci vars add VAR_NAME --value "val"`
-- **Bulk KEY=VALUE pairs**: `depot ci vars add FOO=bar BAZ=qux` — sets multiple variables in one command. The `--value` flag cannot be used in this mode.
+- Single variable with prompt: `depot ci vars add VAR_NAME` — omit `--value` and the CLI prompts you to enter the value.
+- Single variable with flag: `depot ci vars add VAR_NAME --value "val"`
+- Bulk KEY=VALUE pairs: `depot ci vars add FOO=bar BAZ=qux` — sets multiple variables in one command. The `--value` flag cannot be used in this mode.
| Flag | Description |
| --------------------- | ---------------------------------------------------------------------------------------- |
@@ -403,6 +953,32 @@ Supports three modes:
| `--org ` | Organization ID |
| `--token ` | Depot API token |
+#### Examples
+
+##### Add an org-wide variable (prompts for value):
+
+```bash
+depot ci vars add SERVICE_NAME
+```
+
+##### Add an org-wide variable with value inline:
+
+```bash
+depot ci vars add SERVICE_NAME --value "api"
+```
+
+##### Add multiple variables using KEY=VALUE pairs:
+
+```bash
+depot ci vars add REGION=us-east-1 ENV=prod
+```
+
+##### Add a repo-scoped variable:
+
+```bash
+depot ci vars add DEPLOY_ENV --repo owner/repo --value "production"
+```
+
### `depot ci vars list`
```bash
@@ -418,6 +994,20 @@ Use `--repo` to also show repo-specific variables that override org-wide values.
| `--org ` | Organization ID |
| `--token ` | Depot API token |
+#### Examples
+
+##### List org-wide variables:
+
+```bash
+depot ci vars list
+```
+
+##### List org-wide and repo-scoped variables together:
+
+```bash
+depot ci vars list --repo owner/repo
+```
+
### `depot ci vars remove`
```bash
@@ -426,23 +1016,35 @@ depot ci vars remove VAR_NAME [VAR_NAME...]
Alias: `depot ci vars rm`. Accepts one or more variable names. Prompts for confirmation before deleting.
+| Flag | Description |
+| --------------------- | ---------------------------------------------------------------- |
+| `--repo ` | Remove a repo-specific variable instead of the org-wide variable |
+| `--force` | Skip confirmation prompt |
+| `--org ` | Organization ID |
+| `--token ` | Depot API token |
+
+#### Examples
+
+##### Remove a single variable:
+
```bash
-# Remove a single variable
depot ci vars remove GITHUB_REPO
+```
+
+##### Remove a repo-specific variable:
-# Remove a repo-specific variable
+```bash
depot ci vars remove GITHUB_REPO --repo owner/repo
+```
+
+##### Remove multiple variables at once:
-# Remove multiple variables at once
+```bash
depot ci vars remove GITHUB_REPO MY_SERVICE_NAME DEPLOY_ENV
+```
+
+##### Remove a variable without confirmation:
-# Remove without confirmation
+```bash
depot ci vars remove GITHUB_REPO MY_SERVICE_NAME --force
```
-
-| Flag | Description |
-| --------------------- | ---------------------------------------------------------------- |
-| `--repo ` | Remove a repo-specific variable instead of the org-wide variable |
-| `--force` | Skip confirmation prompt |
-| `--org ` | Organization ID |
-| `--token ` | Depot API token |
diff --git a/content/github-actions/integrations/dagger.mdx b/content/github-actions/integrations/dagger.mdx
index a834bb2..6389012 100644
--- a/content/github-actions/integrations/dagger.mdx
+++ b/content/github-actions/integrations/dagger.mdx
@@ -4,6 +4,13 @@ ogTitle: Run your Dagger Engine builds with Depot Runners for GitHub Actions.
description: Accelerate your Dagger Engine builds with Depot Runners
---
+import {NoteCallout} from '~/components/blog/NoteCallout'
+
+
+ Dagger Engine support on Depot GitHub Actions Runners is deprecated and will be removed in a future update. If you are
+ currently using this integration, please [contact support](/help) for guidance.
+
+
Connect with Dagger Cloud and run your Dagger Engine builds on Depot's [Ultra Runners for GitHub Actions](/products/github-actions) with our accelerated cache enabled.
## Authentication
diff --git a/content/integrations/tailscale.mdx b/content/integrations/tailscale.mdx
index b7ed0ad..da3791a 100644
--- a/content/integrations/tailscale.mdx
+++ b/content/integrations/tailscale.mdx
@@ -10,6 +10,8 @@ By connecting Depot to your Tailscale network, you can enable secure access to p
Using Tailscale, Depot GitHub Actions runners and container builders join your tailnet as [ephemeral nodes](https://tailscale.com/kb/1111/ephemeral-nodes), and you can control their access to the rest of your infrastructure using Tailscale ACLs.
+**Note**: Tailscale integration with Depot Windows runners is not supported.
+
## Connecting Depot to your tailnet
Connecting your Depot organization to a Tailscale tailnet is a three-step process:
diff --git a/content/registry/overview.mdx b/content/registry/overview.mdx
index 0d6b864..dc3e260 100644
--- a/content/registry/overview.mdx
+++ b/content/registry/overview.mdx
@@ -8,7 +8,7 @@ The **Depot Registry** is an OCI-compliant container registry for storing, manag
See the [quickstart](/docs/registry/quickstart) to get started.
-## How does it work?
+## How it works
Each Depot organization gets its own registry subdomain:
@@ -36,27 +36,33 @@ The [Registry Explorer](/orgs/_/registry/explorer) in the Depot dashboard lets y
[](/images/docs/registry-page.webp)
-## Use-cases
+## Use cases
-Depot Registry works for a variety of use-cases:
+Depot Registry works for a variety of use cases:
-- **Primary registry**: Use Depot Registry as your primary container registry for all your images, including ones you're not building with Depot.
-- **Ephemeral build store**: Automatically save build output during `depot build --save` and pull it down wherever you need it.
-- **Local development**: Pull images directly to your local machine for testing and development. The global CDN ensures fast downloads regardless of your location.
-- **Cross-environment consistency**: Build an image once on Depot, save it to the registry, then promote that same image across development, staging, and production without rebuilding.
-- **OCI artifacts**: Store any OCI-compliant artifact, including Helm charts and AI models, not just container images.
-- **Depot CI custom images**: Snapshot a Depot CI sandbox with your tools and dependencies pre-installed and store it in the registry. Jobs that use the snapshot skip setup entirely, speeding up your CI. See [Build and use custom images](/docs/ci/how-to-guides/custom-images).
-- **Working with large images**: The global distribution mechanism makes pulling and pushing large images fast. The registry supports artifacts up to 50GB.
+**Primary registry**: Use Depot Registry as your primary container registry for all your images, including ones you're not building with Depot.
+
+**Ephemeral build store**: Automatically save build output during `depot build --save` and pull it down wherever you need it.
+
+**Local development**: Pull images directly to your local machine for testing and development. The global CDN ensures fast downloads regardless of your location.
+
+**Cross-environment consistency**: Build an image once on Depot, save it to the registry, then promote that same image across development, staging, and production without rebuilding.
+
+**OCI artifacts**: Store any OCI-compliant artifact, including Helm charts and AI models, not just container images.
+
+**Depot CI custom images**: Snapshot a Depot CI sandbox with your tools and dependencies pre-installed and store it in the registry. Jobs that use the snapshot skip setup entirely, speeding up your CI. See [Build and use custom images](/docs/ci/how-to-guides/custom-images).
+
+**Working with large images**: The global distribution mechanism makes pulling and pushing large images fast. The registry supports artifacts up to 50GB.
## Pull-through cache
-Depot Registry can act as a pull-through cache in front of an existing registry. You configure an upstream registry on a per-repository basis from the repository's settings in the [Registry Explorer](/orgs/_/registry/explorer). Supported authentication methods are basic auth (username and password) and AWS ECR via IAM role ARN for cross-account access.
+Depot Registry can proxy pulls from an external registry, caching layers on its CDN so subsequent pulls skip the external hop entirely. Common uses include accelerating CI image pulls, distributing images globally without managing your own CDN, and simplifying access to registries with complex authentication (like Google Artifact Registry).
-Once configured, Depot serves pulls from your repository through a global CDN rather than going directly to the upstream, which reduces latency and improves consistency across your infrastructure.
+For configuration details and supported providers, see [Pull-through cache](/docs/registry/pull-through-cache).
## Authentication and permissions
-Depot Registry authenticates with the same token types used across the rest of the Depot platform. All token types provide both push and pull access except pull tokens, which are read-only:
+Depot Registry authenticates with the same token types used across the rest of the Depot platform. All token types provide both push and pull access except for pull tokens, which are read-only. You can use the following types of tokens for registry authentication:
- **User access tokens**: Full push and pull permissions for any project in any organization you have access to
- **Project tokens**: Full push and pull permissions for the specific project they're associated with
@@ -64,7 +70,7 @@ Depot Registry authenticates with the same token types used across the rest of t
- **Trust relationship tokens**: Full push and pull permissions for the project when issued via OIDC trust relationships
- **Pull tokens**: Read-only, short-lived access for pulling images only (generated via `depot pull-token --project `)
-### Authentication for the `docker` CLI
+### Authentication for the Docker CLI
To use Depot Registry with Docker CLI tools, authenticate using a Depot token. Set the username to `x-token` and the password to your chosen token:
diff --git a/content/registry/pull-through-cache.mdx b/content/registry/pull-through-cache.mdx
new file mode 100644
index 0000000..a2470e7
--- /dev/null
+++ b/content/registry/pull-through-cache.mdx
@@ -0,0 +1,73 @@
+---
+title: Pull-through cache
+ogTitle: Pull-through cache in Depot Registry
+description: Configure Depot Registry as a pull-through cache in front of an external registry to speed up CI, distribute images globally, and simplify private registry access.
+---
+
+Depot Registry can proxy pulls from an upstream registry. When a pull comes in for a repository with pull-through cache configured, Depot fetches images from the upstream repository, caches them locally to speed up your runners, and serves them through Depot's accelerated CDN.
+
+Configuration happens in two steps:
+
+- **Upstream registry**: The external registry connection, including the URL and credentials. You configure upstream registries at the organization level and they can be reused across multiple Depot repositories.
+- **Upstream repository**: The image path within an upstream registry that a Depot repository mirrors. You choose this path when creating a Depot repository.
+
+You can create and update upstream registries from [Registry Settings](/orgs/_/registry/settings). Pull-through cache for an individual repository can only be configured when you cerate the repository.
+
+## Use cases
+
+**Faster CI pulls**: Pulling images from Docker Hub or another external registry in CI can take several minutes per job. It's also subject to rate limits and upstream availability. With pull-through cache configured, Depot serves cached layers from its CDN rather than the upstream source, so the pull is fast and doesn't depend on an external service being up.
+
+**Global image distribution**: Depot's CDN distributes cached layers globally. If you're running jobs or deployments across multiple regions, configuring your registry as an upstream means every region pulls from a nearby CDN node rather than a single-region origin.
+
+**Simplified private registry access**: Some registries, like Google Artifact Registry and Google Container Registry, require OAuth-based service account credentials that are complex to configure in every environment. With Depot, you enter the upstream registry's credentials once in the dashboard, and Depot handles authentication to the upstream on every pull. A client needs only a Depot token to pull images.
+
+## Configure an upstream registry
+
+Manage upstream registries from the **Registry settings**. Adding an upstream registry here lets you reuse the same credentials across multiple Depot repositories.
+
+1. Open [Registry Settings](/orgs/_/registry/settings) in the Depot dashboard.
+2. Under **Pull-through cache**, click **Add upstream registry**.
+3. Select a provider from the dropdown.
+4. Fill in the registry URL and credentials for the provider (see [Supported registries](#supported-registries)).
+5. Click **Save upstream registry**.
+
+Once saved, the upstream registry appears in the list and is available when creating a pull-through repository. You can create the repository from Registry Settings by clicking **Create pull-through repository** on the upstream registry, or create it from the repository creation page and select the upstream registry there.
+
+## Create a pull-through repository
+
+After creating an upstream registry, create a Depot repository and configure pull-through cache during repository creation.
+
+1. Open [Repositories](/orgs/_/registry/repositories) in the Depot dashboard.
+2. Click **Create repository**.
+3. Enter the Depot repository name.
+4. Under **Pull-through cache**, click **Configure**.
+5. Select **Existing registry** and choose the upstream registry from the dropdown. If you haven't created one yet, select **New registry** to create one inline.
+6. Enter the upstream repository path to mirror.
+7. Click **Create repository**.
+
+Once created, Depot proxies pulls from that Depot repository through the configured upstream repository. If Depot previously cached the requested layer, it serves the layer from the CDN without contacting the upstream registry.
+
+The first pull of an image can be slower because Depot needs to fetch the manifest and missing blobs from the upstream registry. Subsequent pulls are served from Depot while those blobs remain cached. Pull-through blobs that aren't referenced by a pushed manifest become eligible for cleanup after 6 hours without repository access; once they are cleaned up, the next pull fetches them from the upstream registry again.
+
+Pull-through cache cannot be added to or changed for an existing repository. If you need a different upstream repository, create a new Depot repository with the desired pull-through cache configuration.
+
+To pull images through Depot Registry, use a [pull token](/docs/cli/authentication#pull-tokens) rather than the upstream registry's credentials.
+
+## Supported registries
+
+| Registry | URL | Auth method |
+| ------------------------- | -------------------------------------------- | ------------------------------------------------------ |
+| Docker Hub | `https://registry-1.docker.io` | Basic auth: Docker Hub username + access token |
+| GitHub Container Registry | `https://ghcr.io` | Basic auth: GitHub username + personal access token |
+| GitLab Container Registry | `https://registry.gitlab.com` | Basic auth: GitLab username + personal access token |
+| Quay.io | `https://quay.io` | Basic auth: Quay.io username + password or robot token |
+| AWS ECR | Your ECR registry URL | IAM role ARN |
+| Google Artifact Registry | `https://us-docker.pkg.dev` (or your region) | Basic auth: `_json_key` + service account JSON key |
+| Azure Container Registry | Your ACR URL | Basic auth: service principal client ID + secret |
+| Custom registry | Your registry URL | Basic auth: username + password |
+
+Credentials are required for Docker Hub and for any private repository. For other registries, you can omit credentials if the upstream repository is public.
+
+### AWS ECR authentication
+
+For AWS ECR upstreams, Depot authenticates using an IAM role ARN rather than static credentials. Enter the ARN of a role that grants Depot read access to your ECR registry. Contact [support@depot.dev](mailto:support@depot.dev) for the trust relationship configuration details needed to allow Depot to assume the role.
|