Deterministic, secure Salesforce CLI setup for real CI/CD pipelines.
Fast, cached, and configurable Salesforce CLI setup for GitHub Actions.
Designed for production pipelines, mono-repos, and enterprise Salesforce teams.
Most Salesforce pipelines fail due to:
- β Non-deterministic CLI installs
- β Slow, repeated setup
- β Fragile auth handling
- β One-size-fits-all workflows
This action solves those problems by providing a stable execution layer that workflows can reliably depend on.
- β‘ Fast: ~20β60s with caching
- π Secure Auth: JWT, SFDX Auth URL, or Access Token
- π¦ Smart Caching: CLI + plugins cached across runs
- π Mono-Repo Ready: Multi-directory source resolution
- π Extensible: Optional plugins and dev tools
- π§ͺ Well Tested: Linux, macOS, and Windows runners
- name: Setup Salesforce
uses: rdbumstead/setup-salesforce-action@v2
with:
jwt_key: ${{ secrets.SFDX_JWT_KEY }}
client_id: ${{ secrets.SFDX_CLIENT_ID }}
username: ${{ vars.SFDX_USERNAME }}- name: Setup Salesforce
uses: rdbumstead/setup-salesforce-action@v2
with:
jwt_key: ${{ secrets.SFDX_JWT_KEY }}
client_id: ${{ secrets.SFDX_CLIENT_ID }}
username: ${{ vars.SFDX_USERNAME }}
install_delta: "true"
install_scanner: "true"| Method | Use Case |
|---|---|
| JWT (default) | Production CI/CD |
| SFDX Auth URL | Sandboxes, quick setup |
| Access Token | Advanced integrations |
Example (SFDX Auth URL):
auth_method: "sfdx-url"
sfdx_auth_url: ${{ secrets.SFDX_AUTH_URL }}Useful for conditional and reusable workflows:
org_idorg_typeorg_editionapi_versionauth_performedsf_cli_versionsource_flagsused_default_node(new in v3.0) - Whether default Node.js version was usedused_default_cli_version(new in v3.0) - Whether default CLI version was usedused_default_api_version(new in v3.0) - Whether API version was auto-detectedcli_binary_path(new in v3.0) - Absolute path tosfexecutable (for custom tooling)validated_config(new in v3.0) - JSON summary of final configuration (for auditing)
Example:
- run: sf project deploy start ${{ steps.setup.outputs.source_flags }}This action guarantees the following invariants on successful completion:
- β
CLI installed and callable -
sfcommand is available and functional - β
Authenticated org available - Org is reachable under the specified alias (unless
skip_auth: true) - β Instance URL resolved - Org instance URL is known
- β API version resolved - Salesforce API version is determined
- β No secrets in logs - Sensitive credentials are never written to logs
If any invariant fails, the action will fail fast and report the specific violation.
Partial failures in foundation primitives are dangerous. This action will never report success if:
- CLI installs but is non-functional
- Authentication succeeds but org is unreachable
- Org metadata queries fail
This makes the action suitable for use as a primitive in complex CI/CD workflows.
This action follows strict Semantic Versioning:
- MAJOR (v3.0.0) - Breaking changes to guarantees or behavior
- MINOR (v3.1.0) - New features, backward compatible
- PATCH (v3.0.1) - Bug fixes only
- β Defaults never change in MINOR versions (e.g., CLI version, Node version)
- β Breaking changes only in MAJOR versions
- β
Consumers should pin to MAJOR version:
@v3
- Removing inputs or outputs
- Changing default values
- New invariant validations (may fail previously passing workflows)
- Changes to output formats
Recommendation: Always pin to a major version in production workflows (uses: rdbumstead/setup-salesforce-action@v3).
This action uses intelligent caching to optimize setup time (~20-60s cached vs ~1.5-3min cold).
Cache keys are composed of:
sf-v3-{OS}-node{version}-cli{resolved_version}-tools{hash}
- OS: Linux, macOS, or Windows (prevents cross-platform corruption)
- Node version: From
node_versioninput - CLI version: Resolved from
cli_versioninput (see below) - Tools hash: SHA256 of all optional tooling flags
When cli_version: "latest" (default):
- Try npm registry - Fetches actual version via
npm view @salesforce/cli version(10s timeout) - Fallback to time-based rotation - If npm unreachable, uses
latest-YYYY-MMformat- Ensures cache refreshes monthly even during npm outages
- Prevents indefinite staleness
When explicit version specified (e.g., cli_version: "2.30.8"):
- Uses exact version in cache key
- Controlled by
cli_version_for_cacheinput (major/minor/exact granularity)
Cache HIT β :
- Same OS, Node version, CLI version, and tooling
- CLI already functional from previous run
Cache MISS β:
- Different OS or Node version
- CLI version changed (or monthly rotation occurred)
- Tooling flags changed (added/removed plugins)
- First run in new environment
To force a fresh install:
- Change
cli_versionto explicit version, or - Change
cli_version_for_cachegranularity, or - Wait for monthly rotation (if using
latest)
Full documentation lives in /docs:
- π Action Overview
- π Quick Start Guide
- π Migration Guide
- π§ͺ Testing Strategy
- π₯οΈ Platform Support
- π§ Troubleshooting
- ποΈ Architecture (new in v3.0)
- Cross-platform support (Windows, macOS)
- Custom plugin installation
- Multi-directory source handling
- External Client App support (Winter '25+ orgs)
- Enhanced CLI version resolution & reporting (v2.1+)
- Org limits & usage outputs
- SARIF output support
- Reusable CI/CD workflow templates
This action orchestrates the installation of several best-in-class open-source tools. We recommend starring their repositories and reviewing their specific documentation:
- sfdx-git-delta by Sebastien Colladon
Used for the
install_deltafeature. This tool is essential for generating delta deployments. - Salesforce Code Analyzer by Salesforce
Used for the
install_scannerfeature. Provides PMD, ESLint, and RetireJS scanning. - Prettier Plugin Apex
Used for the
install_prettierfeature to format Apex code. - LWC ESLint Plugin
Used for the
install_eslintfeature to lint Lightning Web Components.
We explicitly verify compatibility with popular ecosystem plugins in our test suite, including:
- sfdx-hardis (CI/CD orchestration)
- sfpowerscripts (Release management)
- π Issues: GitHub Issues
- π¬ LinkedIn: Ryan Bumstead
Built for Salesforce teams who want boring, repeatable pipelines.