Skip to main content
This is the full field reference for blueprints. For an introduction to blueprints and how they fit into Devin’s environment, see Declarative environment configuration.
A blueprint defines how Devin’s environment is configured: what tools to install, how to keep dependencies up to date, and what commands Devin should know about.

Overview

A blueprint has three core top-level sections, plus a post-build section for org- and enterprise-level blueprints and an optional clone section for repo-level blueprints:
All sections are optional. You can include any combination. initialize runs during full builds and for workspaces rebuilt from scratch. Results are saved in the snapshot. In a differential build, inherited workspaces skip initialize, pull the latest code, and run only maintenance. Write maintenance so it is self-contained and can run independently on top of the existing snapshot without requiring initialize to run immediately beforehand or relying on environment variables that initialize previously wrote to $ENVRC. At the start of every session, maintenance commands are not auto-executed — instead, they are surfaced to the agent as context so it knows which dependency commands to run if needed (e.g. after pulling latest code). Commands should still be fast and incremental. Builds run automatically when your blueprint changes and periodically (every ~24 hours).

initialize

Use initialize for installing tools and runtimes that don’t depend on the specific state of your code: language runtimes, system packages, global CLIs.

Simple form

For straightforward shell commands, use a block scalar:

Structured form

For named steps, environment variables, or GitHub Actions, use a list:
Both forms can be mixed. The simple form is equivalent to a single step with run.

When to use initialize vs maintenance

Both sections run during full builds. In differential builds, inherited workspaces skip initialize and run only maintenance after pulling the latest code. Tools and runtimes go in initialize; dependency commands that track your code’s lock files go in maintenance.

maintenance

Use maintenance for dependency installation and other commands that should run after your code is cloned. These commands run during builds and are surfaced to the agent at session start so it can re-run them if dependencies have changed. This is where npm install, pip install, uv sync, and similar commands belong.
Or in structured form:
For repo-level blueprints, maintenance commands run from the repository root directory. For org-level blueprints, they run from the home directory (~).

knowledge

The knowledge section is not executed. It provides reference information that Devin uses when working in your project. This is how you tell Devin the correct commands for linting, testing, building, and any other project-specific workflows.
Each knowledge item has: The name field is a label. By convention, lint, test, and build are the standard names. Devin references these when verifying its work. You can add any additional knowledge items with custom names:

post-build

The post-build section is available on organization-level and enterprise-level blueprints only (it is not supported in repo-level blueprints). Its steps run during the build after all repositories have been cloned and their initialize and maintenance steps have completed, but before the health check and the snapshot image is created. This makes it the right place for cross-repo validation and health checks that need the fully assembled environment. Because it runs late in the build with the whole environment in place, a post-build step can see every cloned repo and every tool installed by the enterprise, org, and repo blueprints.
Or in structured form:
post-build steps fail the build on a non-zero exit code. If a post-build step exits non-zero, the build is marked failed and no snapshot image is produced. Use this to gate snapshots on health checks — but make sure the commands are reliable so a flaky check doesn’t block your builds.
post-build steps use the same step types as initialize and maintenance (shell run commands and GitHub Actions uses), and run from the home directory (~).

clone

For repo-level blueprints, the optional clone section overrides defaults used when Devin clones the repository into the snapshot. Every field is optional and falls back to a sensible default that preserves current behavior.
clone only applies to repo-level blueprints — it controls how that specific repo is cloned into the snapshot. It has no effect in org-level or enterprise-level blueprints.

Step types

Each step in initialize, maintenance, or post-build uses one of two types: shell commands (run) or GitHub Actions (uses).

Shell commands (run)

Execute arbitrary shell commands in bash:
Execution details:
  • Commands run in bash. If any command in a multi-line script fails, the entire step stops immediately.
  • Org-level blueprints execute in the home directory (~).
  • Repo-level blueprints execute in the cloned repository root.
  • Each step has a timeout of 1 hour.
  • Secrets are automatically available as environment variables.

GitHub Actions (uses)

Run Node.js-based GitHub Actions directly in your blueprint:
Action reference format:
The github.com/ prefix and @<ref> suffix are both required. The ref is typically a version tag like v5. Commonly used actions:
Only Node.js-based GitHub Actions are supported. Composite actions and Docker-based actions are not supported.
How with values work: Values passed via with are provided to the action as inputs, following the same conventions as GitHub Actions workflows. All values are converted to strings.
How actions propagate changes: Actions can modify the environment for subsequent steps. For example, setup-python adds the Python binary to PATH, which remains available for all later steps and in maintenance.

run vs uses: which to use

In practice, most configurations use uses for language runtimes and run for everything else.

Environment variables and secrets

Step-level environment variables

Any step can define extra environment variables with the env field:
These are scoped to the step and don’t persist to subsequent steps.

Cross-step environment variables ($ENVRC)

To propagate environment variables across steps, write them to the $ENVRC file:
Variables written to $ENVRC are automatically exported and available to all subsequent steps and the Devin session produced by the current build. This works similarly to $GITHUB_ENV in GitHub Actions. This also applies to PATH. If you install a tool to a non-standard directory (anything outside /usr/bin or /usr/local/bin), append it to $ENVRC so subsequent steps and repo-level blueprints can find the binary:
A plain export PATH=... inside a run: block only affects that step’s shell. Each step starts a new shell process, so PATH changes that are not written to $ENVRC are lost.
uses: actions (e.g. actions/setup-node) automatically propagate their PATH additions to $ENVRC — you only need to do this manually for run: steps.
$ENVRC is reset at the start of every build, including differential builds. Values written during one build are not available to the next build. In particular, an inherited workspace runs only maintenance, so it cannot rely on PATH or other variables that initialize wrote to $ENVRC in the parent build. Configure any environment required by maintenance within maintenance itself.

Secrets

Secrets configured in the Devin UI (via the Secrets tab in each blueprint editor) are automatically injected as environment variables. You don’t declare them in your blueprint. Just reference them by name (e.g., $MY_SECRET). Secrets are injected before every step runs during builds and re-injected at the start of every session. They are scrubbed from the snapshot image itself, so credentials are never baked into saved machine images.
  • Organization secrets: Available as environment variables in every step across all blueprints in the org. Set these in the Secrets tab of the org-wide blueprint editor.
  • Enterprise secrets: Merged with org secrets (org secrets take precedence on name collisions). Available across all orgs in the enterprise.
  • Repository secrets: Written to a per-repo file at /run/repo_secrets/{owner/repo}/.env.secrets. During builds, repo secrets are automatically sourced before that repo’s blueprint steps run. At session time, Devin sources them when working in the repo. Configure these in the Secrets tab of the repository’s blueprint editor.
Build-only secrets: Secrets marked as “build only” are available during snapshot builds but removed before the snapshot is saved. Use these for credentials needed only at build time (e.g., downloading private artifacts during initialize).
maintenance runs during builds. At session start, maintenance commands are surfaced to the agent (not auto-executed), so the agent may re-run them if needed. If a maintenance step writes secrets into config files (e.g., ~/.m2/settings.xml, ~/.npmrc), those files will be baked into the snapshot. Place credential-writing steps in maintenance (not initialize) so they are refreshed during periodic builds, but be aware the written files persist in the image. For maximum security, use environment variables or $ENVRC instead of writing credentials to disk.

File attachments

You can upload files (like .npmrc, settings.xml, configuration files) through the blueprint editor. Uploaded files are written to ~/.files/ and an environment variable is set pointing to each file’s path:
The variable name is derived from the file name: uppercase, with non-alphanumeric characters replaced by underscores, prefixed with FILE_. Use file attachments in your blueprint steps:

Git-backed blueprints

You can store blueprints as .devin/blueprint.yaml files directly in your repository, then sync them via the API or the UI. See Git-backed blueprints for setup instructions and details.

Complete example

For how blueprints compose across tiers (enterprise → org → repo), build statuses, repository states, and what triggers a rebuild, see Builds and sessions on the Declarative configuration page.

Org-wide blueprint

Shared tooling that every repo in the org needs. This runs first (after any enterprise blueprint), in the home directory.

Repo-level blueprint

Project-specific setup for a Node.js + Python monorepo. This runs after the org-wide blueprint, in the repository directory.