CI / CD (act)
SnakeFlow integrates with act — a tool that runs GitHub Actions workflows locally inside Docker containers. You get the same workflow execution as GitHub CI, but on your machine, without a push.
Requirements
- act CLI — install from nektosact.com
- Windows:
winget install nektos.act - macOS:
brew install act - Linux: see the act releases page
- Windows:
- Docker Desktop (or any Docker-compatible runtime) — act uses Docker to run workflow steps
Running a Workflow
Open the Command Palette (Ctrl+Shift+P) and run SnakeFlow: GitHub Actions (act) (or find it under Quality Hub if exposed there).
A two-step picker appears:
- Select workflow — all
.yml/.yamlfiles in.github/workflows/are listed with their triggers and job count - Select job — choose a specific job or run all jobs in the workflow
If the selected workflow references ${{ secrets.* }} values, the secrets step opens automatically (see Secrets below).
Secrets
Workflows that need API tokens, credentials, or environment-specific values declare them as ${{ secrets.NAME }}. SnakeFlow detects all secret references in the workflow file automatically — no manual configuration needed.
Setting secrets
Run SnakeFlow: Manage CI Secrets from the Command Palette. A picker lists every secret found across all workflow files in the project:
$(check) NAME— value is stored; shown as●●●●●●●● (stored)$(circle-slash) NAME— not yet set; click to enter a value
Enter the value in the password InputBox that appears. Values are stored in VS Code SecretStorage — OS keychain-backed encrypted storage (Windows Credential Manager / macOS Keychain / libsecret). They never touch disk or git.
Secrets are per-project, per-machine — each developer stores their own credentials locally. This is intentional: credentials never leave the machine.
Secrets and the Quality Hub
When the act (CI local) check runs inside the Quality Hub (Ctrl+Alt+F), it automatically reads the same stored secrets and passes them as --secret NAME flags plus environment variables. No manual step required — set the secrets once via Manage CI Secrets and both the interactive runner and the Quality Hub will use them.
Which secrets are needed
This depends entirely on your workflows. SnakeFlow does not know or care about specific providers — it scans ${{ secrets.* }} patterns and surfaces every name it finds. Common examples:
| Workflow purpose | Typical secret names |
|---|---|
| Deploy to any cloud | Provider API token (varies by platform) |
| Database migrations | DATABASE_URL, DIRECT_URL |
| Container registry | REGISTRY_TOKEN, DOCKER_PASSWORD |
| Security scanners | SEMGREP_APP_TOKEN, SNYK_TOKEN |
| Notification services | SLACK_WEBHOOK, DISCORD_TOKEN |
GITHUB_TOKEN is provided automatically by act — you do not need to set it unless you want to override it.
Quality Hub — act check
The builtin-act Quality Hub provider runs all (or filtered) workflows in the background as part of the full quality scan and surfaces pass/fail per workflow.
Expected behavior for locally missing secrets:
- Workflows that require cloud-provider credentials (deploy pipelines, remote scanners) will fail or skip — this is expected and not a code problem
- Lint, type-check, build, and unit-test jobs typically need no secrets and pass normally
Configuration
"devManager.ci.workflowsPath": ".github/workflows","devManager.ci.actExtraArgs": "","devManager.quality.builtin.act.enabled": true,"devManager.quality.builtin.act.workflow": "","devManager.quality.builtin.act.trigger": "push"| Setting | Default | Description |
|---|---|---|
devManager.ci.workflowsPath | .github/workflows | Relative path to workflow files |
devManager.ci.actExtraArgs | "" | Extra flags appended to every act call (e.g. --platform ubuntu-latest=...) |
devManager.quality.builtin.act.enabled | true | Enable/disable in Quality Hub |
devManager.quality.builtin.act.workflow | "" | Filename filter — only run workflows whose filename contains this string |
devManager.quality.builtin.act.trigger | push | Event trigger to simulate (push, pull_request, workflow_dispatch) |
Commands
| Command | Description |
|---|---|
| SnakeFlow: GitHub Actions (act) | Interactive workflow + job picker, then run |
| SnakeFlow: Manage CI Secrets | Set / update / clear stored secrets for the current project |
Migrations in GitHub Actions
Local Quality Hub catches many migration mistakes, but CI should still run the same class of commands so merges are not gated only by a developer machine (and so git commit --no-verify cannot bypass team policy).
The built-in Migrations CI Gate (devManager.quality.builtin.migrationsCiGate.enabled, default on) scans .github/workflows/*.{yml,yaml} for steps that mention migration safety tooling — for example prisma migrate diff, drizzle-kit check, atlas migrate validate, SnakeFlow / cruise:err, or similar. If your repo is detected as Prisma/Drizzle/Atlas but no such step exists, the check fails in Quality Hub with a suggested workflow snippet.
Details: Built-in checks — Database & migrations and All settings — migrations / precommit.
Windows notes
- act requires Docker Desktop to be running before workflows can execute
- Some workflow features (e.g.
services:blocks for PostgreSQL) are not supported by act on Windows — steps that depend on Docker services will be skipped or fail - For full CI parity (including database services), push to a feature branch and let GitHub Actions run the workflow remotely
Related
- Quality Hub → — act runs as one of the built-in CI checks
- Database & migrations → — Migrations CI Gate, No Manual Migrations, Prisma/Drizzle/Atlas
- Git Branches → — manage branches before running CI