UiPath CLI user guide

This page covers what every CI pipeline deploying a UiPath Solution needs, regardless of whether you run on Azure DevOps, GitHub Actions, Jenkins, or GitLab: auth, caching, tool pre-install, and version pinning. The platform-specific syntax lives in the recipe pages — this one gives you the moving parts so you can read any of them with confidence.

A production pipeline that ships a Solution always has the same five stages:

Stage 4 is the one that varies the most between platforms, because secret syntax is platform-specific. Stages 1–3 and 5 are nearly identical everywhere.

In a headless environment you authenticate with an External Application (client credentials). See Authentication — Flow 2 for how to create one in the UiPath portal.

Store the credentials in your platform's secret store (never in source control, never in a plain env var file). Pass them to uip login with the special env. prefix:

The env.VAR_NAME prefix tells uip to read the value from the VAR_NAME environment variable at runtime. This keeps the secret out of shell history and process listings — unlike --client-secret "$UIPATH_CLIENT_SECRET", which expands on the command line and can leak via ps.

In your pipeline, inject the secrets into the step's environment under the exact variable names you reference:

In every case, the uip login command itself looks identical — --client-id env.UIPATH_CLIENT_ID --client-secret env.UIPATH_CLIENT_SECRET. Only how the env var arrives in the step changes.

uip login persists the session inside a .uipath/ folder. On most CI runners the working directory is already stateless, so the session ends with the job — which is the desired behaviour. If your runner is persistent, either remove the session with uip logout at the end of the job or set --file to a job-local path. See Sessions and credentials.

A session holds one organization and one tenant at a time. To target different UiPath organizations from the same pipeline — for example, to promote a Solution from a build org into a customer org — re-run uip login between the two blocks with a different External Application. Each login overwrites the previous session.

Create one External App per org (each with its own OR.* scopes). Store both client IDs and secrets in the pipeline's secret store under distinct names:

Same pattern for different tenants within a single org — except tenants don't need a second login. Pass --tenant <name> on any uip or … call to override the session tenant for a single command, without re-authenticating.

The CLI ships with no tools pre-installed. The first time you run a verb from an uninstalled tool, uip auto-installs it from npm — which is fine on a laptop but adds 5–10 seconds of latency to the first command on a stateless CI runner.

Install the tools you use upfront, as a separate step:

Add @uipath/test-manager-tool when you run Test Manager, @uipath/agent-tool when you deploy Agents, @uipath/resource-tool when you manage assets/queues/buckets outside of a Solution. See the tools reference for the full list.

Auto-install is a no-op when the tool is already installed, so the pre-install step is the only behavior change you need — nothing else in your pipeline has to know about it.

CI runners that re-install @uipath/cli on every job waste 20–40 seconds of download and decompression. Caching the npm global node_modules directory turns that into a cache hit — usually under a second.

The directory to cache is the one reported by npm root -g (typically ~/.npm-global/lib/node_modules on Linux/macOS, %APPDATA%\npm\node_modules on Windows). Key the cache on the CLI version you pin, so a version bump invalidates the cache cleanly:

When the cache hits, you can skip both npm install -g @uipath/cli and uip tools install — the uip executable and its tools are already on the PATH. A small bash guard does this cleanly:

The concrete YAML/Groovy for each platform is in the recipe pages.

Reproducible pipelines pin everything. Four versions matter:

The .zip path is deterministic (./dist/my-solution.${SOLUTION_VERSION}.zip), so downstream steps can construct it without parsing the uip solution pack JSON output.

See Scripting patterns — pinning versions in CI for the tool-pinning rules in depth.

Every platform boils down to this:

set -euo pipefail makes the script fail fast: -e aborts on any non-zero exit, -u catches undefined variables, -o pipefail propagates failures through pipes. This is the pattern every recipe in this documentation uses. See Scripting patterns — strict shell options.

If the Solution includes a test set, launch → wait → verify it before marking the pipeline green. The three-step pattern is important: uip tm testset execute exits 0 as soon as the run is queued, not when tests pass — so you need uip tm wait to block and uip tm report get to read the verdict.

See How-to: run tests from the CLI for the full pattern with error handling.

Access tokens can expire during long-running pipelines. The scripting-patterns page has the canonical retry pattern: branch on exit code 2 (AuthenticationError), re-run uip login, retry once, fail otherwise. In most CI pipelines this is unnecessary — jobs are short enough that the initial login's token lasts the whole run — but long test suites or multi-tenant promotion loops can benefit from it.

For complete, copy-pasteable pipelines in your platform's native syntax:

Each recipe shows the full pipeline (install → auth → pack → publish → deploy → test), the secret wiring, a cache entry, and variations for pinning versions and running tests.