{"id":28474274,"url":"https://github.com/snowflakedb/snowflake-cli-action","last_synced_at":"2026-02-23T21:10:41.710Z","repository":{"id":232398640,"uuid":"773988325","full_name":"snowflakedb/snowflake-cli-action","owner":"snowflakedb","description":"Github Action enabling easy use of Snowflake CLI in your CI/CD workflows","archived":false,"fork":false,"pushed_at":"2025-08-08T10:22:39.000Z","size":120,"stargazers_count":36,"open_issues_count":3,"forks_count":12,"subscribers_count":5,"default_branch":"main","last_synced_at":"2025-08-08T11:45:58.223Z","etag":null,"topics":["actions","data-ops","devops-tools","snowflake","sql"],"latest_commit_sha":null,"homepage":"https://docs.snowflake.com/developer-guide/snowflake-cli-v2/index","language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/snowflakedb.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":".github/CODEOWNERS","security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2024-03-18T18:42:41.000Z","updated_at":"2025-07-25T14:08:06.000Z","dependencies_parsed_at":"2024-05-07T08:43:04.456Z","dependency_job_id":"b05a00d2-97c4-45b0-9e5f-54e5d45927e9","html_url":"https://github.com/snowflakedb/snowflake-cli-action","commit_stats":null,"previous_names":["snowflake-labs/snowflake-cli-action","snowflakedb/snowflake-cli-action"],"tags_count":7,"template":false,"template_full_name":null,"purl":"pkg:github/snowflakedb/snowflake-cli-action","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/snowflakedb%2Fsnowflake-cli-action","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/snowflakedb%2Fsnowflake-cli-action/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/snowflakedb%2Fsnowflake-cli-action/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/snowflakedb%2Fsnowflake-cli-action/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/snowflakedb","download_url":"https://codeload.github.com/snowflakedb/snowflake-cli-action/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/snowflakedb%2Fsnowflake-cli-action/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":270940583,"owners_count":24671674,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-08-18T02:00:08.743Z","response_time":89,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["actions","data-ops","devops-tools","snowflake","sql"],"created_at":"2025-06-07T13:06:36.129Z","updated_at":"2026-02-23T21:10:41.702Z","avatar_url":"https://github.com/snowflakedb.png","language":"Shell","readme":"# Snowflake CLI Github Actions\n\n**Note:** Snowflake CLI Github Actions is in Preview.\n\n## Usage\n\nSnowflake CLI Github Actions streamline installing and using [Snowflake CLI](https://docs.snowflake.com/developer-guide/snowflake-cli-v2/index) in your CI/CD workflows. The CLI is installed in\nisolated way, making sure it won't conflict with dependencies of your project. It automatically sets up\nthe input configuration file within the `~/.snowflake/` directory.\n\nThe action enables automation of your Snowflake CLI tasks, such as deploying Native Apps or running Snowpark scripts within your Snowflake environment.\n\n## Inputs\n\n### `cli-version`\n\nThe specified Snowflake CLI version, for example `3.6.0`. If not provided, the latest version of the Snowflake CLI is used.\n\n### `custom-github-ref`\n\nThe branch, tag, or commit to install from if you want to install the CLI directly from GitHub.\n\n\u003e **Note:** `cli-version` and `custom-github-ref` cannot be used together. Please specify only one of these arguments at a time.\n\n### `use-oidc`\n\nBoolean flag to enable OIDC authentication. When set to `true`, the action will configure the CLI to use GitHub's OIDC token for authentication with Snowflake, eliminating the need for storing private keys as secrets. Default is `false`.\n\n### `default-config-file-path`\n\nPath to the configuration file (`config.toml`) in your repository. The path must be relative to root of repository. The configuration file is not required when using a temporary connection (`-x` flag). Refer to the [Snowflake CLI documentation](https://docs.snowflake.com/en/developer-guide/snowflake-cli/connecting/configure-connections#use-a-temporary-connection) for more details.\n\n## Safely configure the action in your CI/CD workflow\n\n### Use WIF OIDC authentication\n\n_Requires Snowflake-CLI version 3.11 or above._\n\nWIF OIDC authentication provides a secure and modern way to authenticate with Snowflake without storing private keys as secrets. This approach uses GitHub's OIDC (OpenID Connect) token to authenticate with Snowflake.\n\nTo set up WIF OIDC authentication, follow these steps:\n\n1. **Configure WIF OIDC authentication in Snowflake**:\n\n   You need to setup service user with OIDC workload identity type\n\n   ```sql\n   CREATE USER \u003cusername\u003e\n   TYPE = SERVICE\n   WORKLOAD_IDENTITY = (\n     TYPE = OIDC\n     ISSUER = 'https://token.actions.githubusercontent.com'\n     SUBJECT = '\u003cyour_subject\u003e'\n   )\n   ```\n\n   - _For examples of see [Example subject claims](https://docs.github.com/en/actions/reference/security/oidc#example-subject-claims) on GitHub._\n\n   - _For more information about customizing your subject, see [OpenID Connect reference](https://docs.github.com/en/actions/reference/security/oidc) on GitHub._\n\n   - _Follow more details, see the [Snowflake documentation](https://docs.snowflake.com/en/user-guide/workload-identity-federation) to set up OIDC authentication for your Snowflake account and configure the GitHub OIDC provider._\n\n2. **Store your Snowflake account in GitHub secrets**:\n\n   Store your Snowflake account identifier in GitHub Secrets. Refer to the [GitHub Actions documentation](https://docs.github.com/en/actions/security-guides/using-secrets-in-github-actions#creating-secrets-for-a-repository) for detailed instructions.\n\n3. **Configure the Snowflake CLI Action with OIDC authentication**:\n\n   ```yaml\n   name: Snowflake OIDC\n   on: [push]\n   \n   permissions:\n     id-token: write  # Required for OIDC token generation\n     contents: read\n   \n   jobs:\n     oidc-job:\n       runs-on: ubuntu-latest\n       steps:\n         - uses: actions/checkout@v4\n           with:\n             persist-credentials: false\n         - name: Setup Snowflake cli\n           uses: snowflakedb/snowflake-cli-action@v2.0\n           with:\n             use-oidc: true\n             cli-version: \"3.11\"\n         - name: test connection\n           env:\n             SNOWFLAKE_ACCOUNT: ${{ secrets.SNOWFLAKE_ACCOUNT }}\n           run: snow connection test -x\n   ```\n\n### Alternative authentication methods\n\nThe following methods can be used as alternatives to OIDC authentication:\n\n#### Prerequisites for key-based authentication\n\nThese steps are a prerequisite for both key-based methods:\n\n1. **Generate a private key**:\n\n   Generate a key pair for your snowflake account following this [user guide](https://docs.snowflake.com/en/user-guide/key-pair-auth).\n\n2. **Store credentials in GitHub secrets**:\n\n   Store each credential, such as account, private key, and passphrase in GitHub Secrets. Refer to the [GitHub Actions documentation](https://docs.github.com/en/actions/security-guides/using-secrets-in-github-actions#creating-secrets-for-a-repository) for detailed instructions on how to create and manage secrets for your repository.\n\n#### Use a temporary connection\n\nTo set up Snowflake credentials for a temporary connection, follow these steps.\n\n1. **Map secrets to environment variables**:\n\n    Map each secret to an [environment variable](https://docs.snowflake.com/en/developer-guide/snowflake-cli/connecting/configure-connections#use-environment-variables-for-snowflake-credentials) using the format `SNOWFLAKE_\u003ckey\u003e=\u003cvalue\u003e`. For example:\n\n    ```yaml\n    env:\n      SNOWFLAKE_PRIVATE_KEY_RAW: ${{ secrets.SNOWFLAKE_PRIVATE_KEY_RAW }}\n      SNOWFLAKE_ACCOUNT: ${{ secrets.SNOWFLAKE_ACCOUNT }}\n    ```\n\n2. **Configure the Snowflake CLI Action**:\n    If you want to use the latest version, you don't need to include the `cli-version` parameter. Otherwise, include it along with a specific version.\n\n    Example:\n\n    ```yaml\n    - uses: snowflakedb/snowflake-cli-action@v1.5\n      with:\n        cli-version: \"3.6.0\"\n    ```\n\n3. **[Optional] Set up a passphrase if private key is encrypted**:\n\n    Add an environment variable named `PRIVATE_KEY_PASSPHRASE` and set it to the private key passphrase. This passphrase is used by Snowflake to decrypt the private key.\n\n    ```yaml\n    - name: Execute Snowflake CLI command\n      env:\n        PRIVATE_KEY_PASSPHRASE: ${{ secrets.PASSPHARSE }}\n      run: |\n        snow --version\n        snow connection test -x\n    ```\n\n4. **[Extra] Use a password instead of a private key**:\n\n     Unset the environment variable `SNOWFLAKE_AUTHENTICATOR`, and then add a new variable with the password as follows:\n\n     ```yaml\n     env:\n       SNOWFLAKE_USER: ${{ secrets.SNOWFLAKE_USER }}\n       SNOWFLAKE_ACCOUNT: ${{ secrets.SNOWFLAKE_ACCOUNT }}\n       SNOWFLAKE_PASSWORD: ${{ secrets.SNOWFLAKE_PASSWORD }}\n     ```\n\n    \u003e **Note**: To enhance your experience when using a password and MFA, it is recommended to configure MFA caching. For more information, refer to the [Snowflake CLI documentation](https://docs.snowflake.com/en/developer-guide/snowflake-cli/connecting/configure-connections#use-multi-factor-authentication-mfa).\n\nFor more information in setting Snowflake credentials using environment variables, refer to the [Snowflake CLI documentation](https://docs.snowflake.com/en/developer-guide/snowflake-cli-v2/connecting/specify-credentials#how-to-use-environment-variables-for-snowflake-credentials). And the instructions on defining environment variables within your Github CI/CD workflow can be found [here](https://docs.github.com/en/actions/learn-github-actions/variables#defining-environment-variables-for-a-single-workflow).\n\n#### Use a configuration file\n\nTo set up Snowflake credentials for a specific connection, follow these steps.\n\n1. **Add `config.toml` to your repository**:\n\n   Create a `config.toml` file at the root of your repository with an empty connection configuration. For example:\n\n   ```toml\n   default_connection_name = \"myconnection\"\n\n   [connections.myconnection]\n   ```\n\n   This file serves as a template and should not contain actual credentials.\n\n2. **Map secrets to environment variables**:\n\n   Map each secret to an environment variable using the format `SNOWFLAKE_CONNECTIONS_\u003cconnection-name\u003e_\u003ckey\u003e=\u003cvalue\u003e`. This overrides the credentials defined in `config.toml`. For example:\n\n   ```yaml\n   env:\n     SNOWFLAKE_CONNECTIONS_MYCONNECTION_PRIVATE_KEY_RAW: ${{ secrets.SNOWFLAKE_PRIVATE_KEY_RAW }}\n     SNOWFLAKE_CONNECTIONS_MYCONNECTION_ACCOUNT: ${{ secrets.SNOWFLAKE_ACCOUNT }}\n   ```\n\n3. **Configure the Snowflake CLI action**:\n\n   Add the `default-config-file-path` parameter to the Snowflake CLI action step in your workflow file. This specifies the path to your `config.toml` file. For example:\n\n   ```yaml\n   - uses: snowflakedb/snowflake-cli-action@v1\n     with:\n       cli-version: \"3.6.0\"\n       default-config-file-path: \"config.toml\"\n   ```\n\n   Replace `latest` with a specific version of Snowflake CLI action, if needed.\n\n4. **[Optional] Set up a passphrase if private key is encrypted**:\n\n   Add an additional environment variable named `PRIVATE_KEY_PASSPHRASE` and set it to the private key passphrase. This passphrase is used by Snowflake to decrypt the private key.\n\n   ```yaml\n   - name: Execute Snowflake CLI command\n     env:\n     PRIVATE_KEY_PASSPHRASE: ${{ secrets.PASSPHARSE }}\n     run: |\n       snow --version\n       snow connection test\n   ```\n\n5. **[Extra] Use a password instead of private key**:\n\n   Unset the environment variable `SNOWFLAKE_CONNECTIONS_MYCONNECTION_AUTHENTICATOR`, and then add a new variable with the password as follows:\n\n   ```yaml\n   env:\n     SNOWFLAKE_CONNECTIONS_MYCONNECTION_USER: ${{ secrets.SNOWFLAKE_USER }}\n     SNOWFLAKE_CONNECTIONS_MYCONNECTION_ACCOUNT: ${{ secrets.SNOWFLAKE_ACCOUNT }}\n     SNOWFLAKE_CONNECTIONS_MYCONNECTION_PASSWORD: ${{ secrets.SNOWFLAKE_PASSWORD }}\n   ```\n\n   \u003e **Note**: To enhance your experience when using a password and MFA, it is recommended to configure MFA caching. For more information, refer to the [Snowflake CLI documentation](https://docs.snowflake.com/en/developer-guide/snowflake-cli/connecting/configure-connections#use-multi-factor-authentication-mfa).\n\n## Usage examples\n\n### Use a temporary connection\n\nYaml file:\n\n```yaml\nname: deploy\non: [push]\n\njobs:\n   version:\n      name: \"Check Snowflake CLI version\"\n      runs-on: ubuntu-latest\n      steps:\n         # Snowflake CLI installation\n         - uses: snowflakedb/snowflake-cli-action@v1.5\n\n            # Use the CLI\n         - name: Execute Snowflake CLI command\n           env:\n              SNOWFLAKE_AUTHENTICATOR: SNOWFLAKE_JWT\n              SNOWFLAKE_USER: ${{ secrets.SNOWFLAKE_USER }}\n              SNOWFLAKE_ACCOUNT: ${{ secrets.SNOWFLAKE_ACCOUNT }}\n              SNOWFLAKE_PRIVATE_KEY_RAW: ${{ secrets.SNOWFLAKE_PRIVATE_KEY_RAW }}\n              PRIVATE_KEY_PASSPHRASE: ${{ secrets.PASSPHARSE }} # Passphrase is only necessary if private key is encrypted.\n           run: |\n              snow --help\n              snow connection test -x\n```\n\n### Use a configuration file\n\nConfiguration file:\n\n```\ndefault_connection_name = \"myconnection\"\n\n[connections.myconnection]\n```\n\nYaml file:\n\n```yaml\nname: deploy\non: [push]\njobs:\n  version:\n    name: \"Check Snowflake CLI version\"\n    runs-on: ubuntu-latest\n    steps:\n      # Checkout step is necessary if you want to use a config file from your repo\n      - name: Checkout repo\n        uses: actions/checkout@v4\n        with:\n          persist-credentials: false\n\n        # Snowflake CLI installation\n      - uses: snowflakedb/snowflake-cli-action@v1.5\n        with:\n          default-config-file-path: \"config.toml\"\n\n        # Use the CLI\n      - name: Execute Snowflake CLI command\n        env:\n          SNOWFLAKE_CONNECTIONS_MYCONNECTION_AUTHENTICATOR: SNOWFLAKE_JWT\n          SNOWFLAKE_CONNECTIONS_MYCONNECTION_USER: ${{ secrets.SNOWFLAKE_USER }}\n          SNOWFLAKE_CONNECTIONS_MYCONNECTION_ACCOUNT: ${{ secrets.SNOWFLAKE_ACCOUNT }}\n          SNOWFLAKE_CONNECTIONS_MYCONNECTION_PRIVATE_KEY_RAW: ${{ secrets.SNOWFLAKE_PRIVATE_KEY_RAW }}\n          PRIVATE_KEY_PASSPHRASE: ${{ secrets.PASSPHARSE }} #Passphrase is only necessary if private key is encrypted.\n        run: |\n          snow --help\n          snow connection test\n```\n\n### Install from a GitHub branch or tag\n\nTo install Snowflake CLI from a specific branch, tag, or commit in the GitHub repository (for example, to test unreleased features or a fork), use the following configuration:\nThis feature is available from snowflake-cli-action v1.6\n\n```yaml\n- uses: snowflakedb/snowflake-cli-action@v1.6\n  with:\n    custom-github-ref: \"feature/my-branch\"   # or a tag/commit hash\n```\n\nThis will install the CLI from the specified branch, tag, or commit. You can combine this with other inputs as needed.\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsnowflakedb%2Fsnowflake-cli-action","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsnowflakedb%2Fsnowflake-cli-action","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsnowflakedb%2Fsnowflake-cli-action/lists"}