FAQs

Yes. Actions are enabled per-repository. Go to your repository on Copia, then Settings > Actions, and check Enable Repository Actions.

Workflow files are stored in the .copia/workflows/ directory of your repository, with a .yaml or .yml extension. For example: .copia/workflows/ci.yaml.

Yes. Add workflow_dispatch to your workflow's on: triggers, then use the Run Workflow button on the Actions tab in the Copia UI.

Scheduling workflows is not available at this time.

Copia Actions workflow syntax is designed to be largely compatible with GitHub Actions. Most GitHub Actions workflows can be adapted with minimal changes. The main differences are:

• Workflow files go in .copia/workflows/ instead of .github/workflows/.

• Some advanced syntax features are not yet supported (see below).

• Actions are downloaded from GitHub by default, but you can use absolute URLs to reference actions from any Git repository.

The following workflow syntax features are currently not supported and will be ignored if present:

Yes, a few additional differences to be aware of:

• Package registry tokens: The automatic job token cannot currently publish to package registries. Use a Personal Access Token (PAT) stored as a secret instead.

• Problem matchers: Scanning action output for regex patterns and surfacing annotations in the UI is not supported.

• Error annotations: Not supported.

• Expression functions: Only always() is supported as a status check function.

• Pre/Post steps: These run correctly, but do not have their own section in the job log UI.

• Service containers: These run correctly, but do not have their own section in the job log UI.

• Pull request ref: For pull_request events, the ref is refs/pull/:prNumber/head (the PR head), not refs/pull/:prNumber/merge (the merge preview) as in GitHub Actions.

Yes. By default, actions referenced without a full URL (like actions/checkout@v4) are downloaded from GitHub. You can also use absolute URLs to reference actions from any accessible Git repository:

The https:// or http:// prefix is required when using absolute URLs.

Both ${{ github.xyz }} and ${{ gitea.xyz }} are supported and behave identically. You can use either. We recommend ${{ github.xyz }} for maximum compatibility if you also use GitHub Actions.

The runner binary is available for Linux, macOS, and Windows. Other operating systems may work if supported by Go and Docker, but are untested.

When running jobs directly on the host (not in Docker containers), be aware of environment differences. For example, bash is typically not available on Windows — you will need to set powershell as the default shell:

Runners can be registered at two levels:

• Organization level — The runner serves all repositories in your organization.

• Repository level — The runner serves only that specific repository.

A repository may use organization-level runners even if it has its own repository-level runners.

Labels determine which jobs a runner can accept and how those jobs are executed. When a workflow specifies runs-on: ubuntu-latest, the job is routed to a runner with a matching ubuntu-latest label.

Labels also encode the execution mode. For example:

• ubuntu-latest:docker://node:16-bullseye — Run in Docker using the specified image

• linux_amd64:host — Run directly on the host machine

See Runner Setup — Labels for details.

This is valid syntax. It means the job should run on a runner that has both labels. The runner must have all specified labels registered.

Agent labels are reported to Copia by the runner during registration. Custom labels can be added manually by an administrator. However, a custom label may not map to an environment the runner knows how to handle. If you need to change a runner's labels, we recommend re-registering the runner or updating the runners.labels section in the runner's config.yaml and restarting.

Not at launch. Copia Actions Runners currently supports self-hosted runners only — you provide and manage the machines that execute jobs. Copia-hosted runners are planned for a future release.

Idle runners have no standing permissions on your Copia instance. They can only connect and poll for jobs. Once a job is assigned, the runner receives a temporary, scoped token that grants read-only access to the repository associated with that job. The token expires when the job completes.

Additional permissions can be granted to the runner using personal access tokens (PATs) and Secrets.

Yes. Your actions runner has read-only permissions to your repository by default, but you can allow write operations (e.g. pushing commits) using personal access tokens (PATs) and Secrets. Start by creating a personal access token. Personal access tokens are tied to a Copia user account and are managed in the user's settings. In your user settings, click "Applications" in the left-hand navigation menu. Give the token a name and click "Generate Token". Ensure the user has write access to the repo you want to push to. In your repository or organization settings, click "Secrets" in the left-hand navigation menu. Add a new Secret and paste the personal access token you just created in the Secret's "Value" field. Add the "token" field to the actions/checkout step in your workflow file (replace "YOUR_SECRET_NAME_HERE" with the actual name of the secret you created):

There are two main threat vectors: untrusted runners and malicious workflows.

An untrusted runner could steal code or secrets from jobs it executes. Only register runners you control on trusted infrastructure. Only provide runners to organizations and repositories you trust. Run jobs in Docker containers for isolation. Avoid host mode unless necessary. Use ephemeral runners for high-security environments — they execute one job and terminate. A workflow could run harmful code on your runner. Only register runners you control on trusted infrastructure. Only provide runners to organizations and repositories you trust. Run jobs in Docker containers for isolation. Avoid host mode unless necessary. For pull requests from forks, require approval before workflows run. Use ephemeral runners for high-security environments — they execute one job and terminate.

Docker mode runs each job in a fresh, isolated container. This prevents jobs from:

• Interfering with each other

• Leaving artifacts on the runner host

• Accessing the runner's filesystem or other processes

It also ensures reproducibility — the same Docker image produces the same environment every time.

• Verify the runner process is still running (./act_runner daemon or the Docker container).

• Check that the runner can reach your Copia instance over the network.

• If using a self-hosted Copia instance, confirm the instance URL is correct and not a loopback address.

• Ensure the job container can reach your Copia instance. The actions/checkout action clones your repository by connecting to the instance URL.

• Do not use 127.0.0.1 or localhost as the instance URL — job containers run in separate network namespaces and cannot reach loopback addresses on the host.

On Windows, bash is not available by default. Set powershell as the default shell for your workflow:

Or per-step:

If the .runner file (created during registration) becomes corrupted or the runner fails to start, delete the file and re-register:

There is a known LFS bug in GitHub's checkout action that causes duplicate Authentication headers to be sent in requests, resulting in HTTP 400 Bad Request responses from our server. If you are seeing these kinds of errors, there are two remediations you may try: For actions/checkout@v5 (and lower versions):

For actions/checkout@v6, create a new personal access token for a Copia user who has (at minimum) read access to the repository you are trying to clone. Then, create a new repository or organization "Secret" with the token as the value. Finally, use the secret in the workflow as shown below: