$SECRET_NAME. Configure these in the Secrets tab within each blueprint editor before using a template. Never hardcode credentials in your blueprint.Quick start
Minimal blueprints for the most common setups. Copy one, paste it into the blueprint editor, and you’re done.Node.js project
Node.js project
Python project
Python project
Full-stack (Node + Python)
Full-stack (Node + Python)
Repository blueprints
Per-repo build steps, dependency management, and knowledge entries. Set these in Settings > Environment > Blueprints > [your repo].Python
- uv (recommended)
- pip + venv
Node.js
- npm
- pnpm
npm install (not npm ci) in maintenance. It does an incremental update, while npm ci deletes node_modules and reinstalls from scratch every session.Go
Standard Go setup with modules.Java
- Gradle
- Maven
Ruby on Rails
Rails setup with PostgreSQL.Rust
Standard Rust setup with cargo.Monorepos
- Multi-language
- Multiple JDK versions
Private package registries
Configure package managers to resolve dependencies from private registries. Set these in Settings > Environment > Blueprints > Org-wide setup (or per-repo if only one repo needs it).Node.js registries
- npm (scoped)
- npm (full mirror)
- pnpm
- Yarn
@myorg/*) from a private registry, while public packages continue to come from the default npm registry.Required secrets
Required secrets
GITHUB_PACKAGES_TOKEN— Personal access token or GitHub App token withread:packagesscope
Python registries
- pip / uv
- Poetry
Required secrets
Required secrets
PYPI_REGISTRY_URL— Full URL of your PyPI index, including credentials if required (e.g.,https://user:token@nexus.example.com/repository/pypi-proxy/simple)
JVM registries
- Maven
- Gradle
Required secrets
Required secrets
MAVEN_REGISTRY_URL— URL of your Maven registry (e.g.,https://artifactory.example.com/artifactory/maven-virtual)REGISTRY_USER— Registry usernameREGISTRY_PASS— Registry password or API token
Other registries
Go module proxy
Go module proxy
Required secrets
Required secrets
GO_PROXY_URL— URL of your Go module proxy (e.g.,https://athens.corp.internal)GIT_TOKEN— Personal access token for private Git repos that host Go modules
.NET / NuGet
.NET / NuGet
Required secrets
Required secrets
NUGET_SOURCE_URL— URL of your NuGet feedNUGET_API_KEY— API key or PAT for the feed
Docker
Docker
Required secrets
Required secrets
DOCKER_MIRROR_URL(optional) — URL of your Docker Hub mirror (e.g.,https://mirror.corp.internal)DOCKER_REGISTRY_URL— URL of your private container registry (e.g.,registry.corp.internal:5000)DOCKER_REGISTRY_USER— Registry usernameDOCKER_REGISTRY_PASS— Registry password or API token
Rust / Cargo
Rust / Cargo
Required secrets
Required secrets
CARGO_REGISTRY_INDEX— URL of the private registry index (e.g.,sparse+https://cargo.corp.internal/api/v1/crates/)CARGO_REGISTRY_TOKEN— Auth token for the private registry
Ruby / Bundler
Ruby / Bundler
Required secrets
Required secrets
GEM_SERVER_URL— URL of your private gem server (e.g.,https://artifactory.example.com/artifactory/api/gems/gems-virtual)REGISTRY_USER— Registry usernameREGISTRY_PASS— Registry password or API token
PHP / Composer
PHP / Composer
Required secrets
Required secrets
COMPOSER_REGISTRY_URL— URL of your private Composer registry (e.g.,https://repo.packagist.com/<org>)REGISTRY_USER— Registry usernameREGISTRY_PASS— Registry password or API token
AWS CodeArtifact token refresh
AWS CodeArtifact token refresh
maintenance to set up the token refresh command so the agent can re-run it when needed. This example configures npm, pip, and Maven to use CodeArtifact.awscli is pre-installed on Devin’s base image. You only need the token refresh and registry configuration.Required secrets
Required secrets
AWS_ACCESS_KEY_IDandAWS_SECRET_ACCESS_KEY— IAM credentials withcodeartifact:GetAuthorizationTokenandsts:GetServiceBearerTokenpermissionsCA_DOMAIN— Your CodeArtifact domain nameCA_DOMAIN_OWNER— AWS account ID that owns the domainCA_REGION— AWS region (e.g.,us-east-1)CA_NPM_REPO,CA_PYPI_REPO,CA_MAVEN_REPO— Repository names for each ecosystem
Enterprise infrastructure
Machine-level infrastructure that applies across all orgs and repos. Set these in Settings > Devin’s base environment (for enterprise-wide) or Settings > Environment > Blueprints > Org-wide setup (for org-wide).Network and connectivity
Corporate CA certificate
Corporate CA certificate
Required secrets
Required secrets
CORP_ROOT_CA_B64— Base64-encoded PEM certificate from your corporate CA. Generate with:cat corp-root-ca.crt | base64 -w0
Multiple CA certificates
Multiple CA certificates
Required secrets
Required secrets
CORP_ROOT_CA_B64— Base64-encoded primary CA certificateCORP_INTERMEDIATE_CA_B64— Base64-encoded intermediate CA certificate
HTTP/HTTPS proxy
HTTP/HTTPS proxy
Required secrets
Required secrets
CORP_HTTP_PROXY— HTTP proxy URL (e.g.,http://proxy.corp.example.com:8080)CORP_HTTPS_PROXY— HTTPS proxy URLCORP_NO_PROXY— Comma-separated list of hosts to bypass proxy (e.g.,localhost,127.0.0.1,.corp.example.com)
Authenticated proxy
Authenticated proxy
Required secrets
Required secrets
PROXY_USER— Proxy usernamePROXY_PASS— Proxy passwordPROXY_HOST— Proxy hostname and port (e.g.,proxy.corp.example.com:8080)CORP_NO_PROXY— Hosts to bypass proxy
CA certificate + proxy (combined)
CA certificate + proxy (combined)
Required secrets
Required secrets
CORP_ROOT_CA_B64— Base64-encoded corporate CA certificateCORP_HTTP_PROXY,CORP_HTTPS_PROXY— Proxy URLsCORP_NO_PROXY— Hosts to bypass proxy
VPN connection
VPN connection
Required secrets
Required secrets
VPN_CONFIG_B64— Base64-encoded OpenVPN config file (.ovpn). Generate with:cat corp.ovpn | base64 -w0VPN_AUTH_USER(optional) — VPN username, if your VPN requires username/password authVPN_AUTH_PASS(optional) — VPN password
WG_CONFIG_B64— Base64-encoded WireGuard config file. Generate with:cat wg0.conf | base64 -w0
Custom DNS resolution
Custom DNS resolution
Identity and security
GPG commit signing
GPG commit signing
Required secrets
Required secrets
GPG_PRIVATE_KEY_B64— Base64-encoded GPG private key. Generate with:gpg --export-secret-keys <key-id> | base64 -w0GIT_USER_NAME— Git author name (e.g.,Devin AI)GIT_USER_EMAIL— Git author email. Must match a UID on the GPG key, otherwise GitHub will not verify the signature.
Git identity and SSH keys
Git identity and SSH keys
Required secrets
Required secrets
GIT_USER_NAME— Git author nameGIT_USER_EMAIL— Git author emailSSH_PRIVATE_KEY_B64— Base64-encoded SSH private key. Generate with:cat ~/.ssh/id_ed25519 | base64 -w0SSH_KNOWN_HOSTS_B64— Base64-encoded known hosts entries. Generate with:ssh-keyscan git.corp.internal | base64 -w0SSH_CONFIG_B64(optional) — Base64-encoded SSH config file
System configuration
System packages
System packages
Custom environment variables
Custom environment variables
KEY=VALUE lines to the $ENVRC file. Variables written to $ENVRC are automatically exported for all subsequent steps and the Devin session (similar to GitHub Actions’ $GITHUB_ENV).Locale and timezone
Locale and timezone
Resource limits (ulimits)
Resource limits (ulimits)
APT mirror replacement
APT mirror replacement
Required secrets
Required secrets
APT_MIRROR_URL— URL of your internal APT mirror (e.g.,https://artifactory.example.com/artifactory/ubuntu-remote)
Advanced patterns
Environment variables with direnv
Environment variables with direnv
initialize to create .envrc files. Direnv loads them automatically..envrc variables load automatically. No manual sourcing needed.Per-repository Node version switching
Per-repository Node version switching
.nvmrc.nvm use reads .nvmrc from the repo root. Make sure your repository has one (e.g., containing 20).Browser authentication (Playwright)
Browser authentication (Playwright)
localhost:29229 during sessions. Use Playwright scripts to automate browser-based login.scripts/login.py):Custom system tools and PATH
Custom system tools and PATH
initialize.GitHub Actions for tool setup
GitHub Actions for tool setup
setup-node and setup-python modify PATH and environment variables. Binaries installed by one action are available in all subsequent steps and in maintenance. Only Node.js-based GitHub Actions are supported. Composite and Docker-based actions are not.Local HTTPS reverse proxy for multiple apps
Local HTTPS reverse proxy for multiple apps
app.example.com, api.example.com, and admin.example.com. Install a single reverse proxy in initialize and route each hostname to a different local upstream port.Caddy handles routing and local TLS in one tool. A Caddyfile maps each hostname to an upstream, and tls internal auto-issues a trusted certificate per hostname from Caddy’s built-in CA. caddy trust installs that CA root into the system trust store, and adding the same root to the NSS database lets the browser accept it.Upload your Caddyfile via the File attachments section of the blueprint editor; it is then available as $FILE_CADDYFILE./etc/hosts loop is what makes app.example.com resolve to 127.0.0.1 inside the session. Add an entry for every hostname you put in the Caddyfile.Full-stack examples
These examples show how enterprise and org-level configurations combine. In practice, you’d split these across scopes. They’re shown together here for reference.Full enterprise stack (Artifactory)
Full enterprise stack (Artifactory)
Required secrets
Required secrets
CORP_ROOT_CA_B64— Base64-encoded corporate CA certificateCORP_HTTP_PROXY— HTTP proxy URLCORP_HTTPS_PROXY— HTTPS proxy URLCORP_NO_PROXY— Hosts to bypass proxy
ARTIFACTORY_USER— Artifactory usernameARTIFACTORY_TOKEN— Artifactory API token or passwordARTIFACTORY_MAVEN_URL— Maven repository URL (e.g.,https://artifactory.example.com/artifactory/maven-virtual)ARTIFACTORY_PYPI_URL— PyPI repository URL (e.g.,https://user:token@artifactory.example.com/artifactory/api/pypi/pypi-virtual/simple)ARTIFACTORY_NPM_URL— npm repository URL (e.g.,https://artifactory.example.com/artifactory/api/npm/npm-virtual)ARTIFACTORY_DOCKER_URL— Docker registry URL (e.g.,artifactory.example.com)
- Account-wide (
initialize): Certificate and proxy - Org-wide (
initialize): Language runtime installs - Org-wide (
maintenance): Registry credentials (refreshed during builds, surfaced to agent at session start)
Multi-language with different registries
Multi-language with different registries
Required secrets
Required secrets
NEXUS_MAVEN_URL— Nexus Maven repository URLNEXUS_USER— Nexus usernameNEXUS_PASS— Nexus passwordGITHUB_PACKAGES_TOKEN— GitHub personal access token withread:packagesscopeARTIFACTORY_USER— Artifactory usernameARTIFACTORY_TOKEN— Artifactory API tokenGIT_TOKEN— Personal access token for Go private modules
Air-gapped environment with private mirrors
Air-gapped environment with private mirrors
Required secrets
Required secrets
CORP_ROOT_CA_B64— Base64-encoded corporate CA certificate
APT_MIRROR_URL— Internal Ubuntu APT mirror URLMIRROR_USER— Mirror authentication usernameMIRROR_PASS— Mirror authentication passwordJDK_TARBALL_URL— URL to download JDK tarball from internal mirrorNODE_TARBALL_URL— URL to download Node.js tarball from internal mirror
INTERNAL_MAVEN_URL— Internal Maven registry URLINTERNAL_NPM_URL— Internal npm registry URLINTERNAL_PYPI_URL— Internal PyPI registry URL
VPN + certificates + proxy + languages
VPN + certificates + proxy + languages
Required secrets
Required secrets
VPN_CONFIG_B64— Base64-encoded OpenVPN config file
CORP_ROOT_CA_B64— Base64-encoded corporate CA certificateCORP_HTTP_PROXY— HTTP proxy URLCORP_HTTPS_PROXY— HTTPS proxy URLCORP_NO_PROXY— Hosts to bypass proxy
MAVEN_REGISTRY_URL— Maven registry URLNPM_REGISTRY_URL— npm registry URLPYPI_REGISTRY_HOST— PyPI registry hostnameREGISTRY_USER— Registry username (for Maven and pip)REGISTRY_PASS— Registry password (for Maven and pip)REGISTRY_TOKEN— npm auth token
initialize steps. VPN must come first (so internal hosts are reachable), then DNS (so names resolve), then certificates (so HTTPS works), then proxy (so traffic routes correctly), and finally language runtimes (which may download from internal mirrors).Tips for writing good blueprints
- Test commands in a session first. Run commands manually in a Devin session before adding them to your blueprint. This is faster than waiting for a full build cycle.
- Use
initializefor install-once tools,maintenancefor deps. Anything that takes minutes to install (compilers, large binaries, global tools) belongs ininitialize. Quick dependency commands (npm install,uv sync) go inmaintenance. - Keep
maintenancecommands fast. Aim for under 2 minutes. These run during builds and are surfaced to the agent at session start. - Use
$ENVRCfor environment variables. Don’t write to.bashrcor.profile.$ENVRCis the supported mechanism for setting variables across steps and sessions. - Name your steps. The expanded form with
namefields makes build log failures much easier to identify. - Use subshells for monorepos.
(cd packages/foo && npm install)runs in a subshell so subsequent steps aren’t affected by the directory change. - Use
npm install, notnpm ci.npm cideletesnode_modulesand reinstalls from scratch, which is slow formaintenance. - Use repo secrets for sensitive values. Configure them in the Secrets tab of the repository’s blueprint editor instead of hardcoding in blueprints.

