CLI Reference
ghagen provides commands organized into top-level commands (synth, check-synced, init) and a deps subgroup (deps pin, deps check-synced, deps upgrade).
ghagen synth
Section titled “ghagen synth”Generate YAML workflow files from your Python definitions.
ghagen synthOptions
Section titled “Options”| Option | Description |
|---|---|
--config PATH | Path to the configuration file. Defaults to auto-detection. |
Config file resolution
Section titled “Config file resolution”If --config is not specified, ghagen locates the workflow file in this order:
- The top-level
entrypointkey in.ghagen.yml, if present .github/ghagen_workflows.pyghagen_config.py
The entrypoint value is a path (relative paths resolve against the
.ghagen.yml parent directory, i.e. the repo root, not the current working
directory). Use this when your workflow file lives outside the two default
locations:
entrypoint: scripts/workflows.pyWithin the workflow file, ghagen looks for:
- A
create_app()function that returns anAppinstance - An
appvariable that is anAppinstance
Example
Section titled “Example”# Use default config detectionghagen synth
# Specify a config fileghagen synth --config workflows/generate.pyghagen check-synced
Section titled “ghagen check-synced”Verify that generated YAML files match the current Python definitions. Exits with code 0 if all files are up to date, or code 1 if any file is stale.
ghagen check-syncedOptions
Section titled “Options”| Option | Description |
|---|---|
--config PATH | Path to the configuration file. Defaults to auto-detection. |
This command follows the same config file resolution as synth.
Example
Section titled “Example”# Run in CI to catch stale workflowsghagen check-synced
# Check with explicit configghagen check-synced --config .github/ghagen_workflows.pyCI usage
Section titled “CI usage”Add ghagen check-synced to your CI pipeline to ensure that generated YAML files are never out of sync with their Python definitions:
- name: Check workflow freshness run: ghagen check-syncedIf someone edits a generated YAML file directly instead of updating the Python source, ghagen check-synced will fail and the CI run will report the mismatch.
ghagen deps pin
Section titled “ghagen deps pin”Pin every uses: reference in your workflows to an exact commit SHA, recorded
in .ghagen.lock.yml. When a lockfile is present, ghagen synth
automatically rewrites uses: entries to the pinned SHA on emission, so your
generated YAML is reproducible without hand-editing.
ghagen deps pin # Resolve any refs missing from the lockfileghagen deps pin --update # Re-resolve every entry to the latest SHAghagen deps pin --prune # Drop lockfile entries no longer referencedOptions
Section titled “Options”| Option | Description |
|---|---|
--config PATH, -c | Path to the configuration file. Defaults to auto-detection. |
--update | Re-resolve every entry to its current SHA, not just the missing ones. |
--prune | Remove lockfile entries that are no longer referenced by any workflow. |
--token TOKEN | GitHub token used to resolve refs. Defaults to $GITHUB_TOKEN, then $GH_TOKEN. Unauthenticated requests are limited to 60/hour. |
Exit codes
Section titled “Exit codes”| Code | Meaning |
|---|---|
0 | Lockfile is in sync (or was updated successfully) |
1 | One or more refs failed to resolve |
ghagen deps check-synced
Section titled “ghagen deps check-synced”Verify the lockfile is in sync with the current code. Exits with code 1 if the lockfile is stale. Does not make network calls.
ghagen deps check-syncedOptions
Section titled “Options”| Option | Description |
|---|---|
--config PATH, -c | Path to the configuration file. Defaults to auto-detection. |
--prune | Also check for lockfile entries that are no longer referenced by any workflow. |
Exit codes
Section titled “Exit codes”| Code | Meaning |
|---|---|
0 | Lockfile is in sync |
1 | Lockfile is stale |
CI usage
Section titled “CI usage”Run ghagen deps check-synced --prune in CI to catch PRs that introduce a new
uses: without updating the lockfile:
Step( name="Check lockfile sync", run="ghagen deps check-synced --prune",)ghagen deps check-synced does not make network calls, so it doesn’t need a GitHub token.
ghagen deps upgrade
Section titled “ghagen deps upgrade”Detect and apply updates to action dependencies in your workflows. By default,
applies updates to Python source files (version bumps). Use --check for a
dry-run report without modifying files.
ghagen deps upgrade # Apply available updates to source filesghagen deps upgrade --check # Report available updates without applyingghagen deps upgrade --check --json # Machine-readable JSON reportOptions
Section titled “Options”| Option | Description |
|---|---|
--config PATH, -c | Path to the configuration file. Defaults to auto-detection. |
--check | Report available updates without applying changes (dry-run mode). |
--json | Output results as JSON (only valid with --check). |
--token TOKEN | GitHub token used to query tags. Defaults to $GITHUB_TOKEN, then $GH_TOKEN. |
Exit codes
Section titled “Exit codes”| Code | Meaning |
|---|---|
0 | No updates available, or updates applied successfully |
1 | Updates available (--check) or one or more updates failed to apply |
ghagen init
Section titled “ghagen init”Scaffold a starter configuration file with a minimal CI workflow.
ghagen initOptions
Section titled “Options”| Option | Description |
|---|---|
--outdir PATH | Directory to create the config file in. Defaults to .github. |
Example
Section titled “Example”# Create .github/ghagen_workflows.pyghagen init
# Create in a custom directoryghagen init --outdir workflowsThe generated file contains an App instance with a single CI workflow that checks out code and runs a placeholder test command.