> ## Documentation Index
> Fetch the complete documentation index at: https://ona.com/docs/llms.txt
> Use this file to discover all available pages before exploring further.
# CLI
> Manage environments, SSH access, and automations from your terminal.
Manage environments from your terminal - create, start, stop, SSH into environments, and run automations.
## Installation
### Homebrew (macOS and Linux)
```bash theme={null}
brew install gitpod-io/tap/ona
```
The formula auto-detects your OS and architecture. Updates are handled by `brew upgrade ona`.
### macOS and Linux
```bash theme={null}
curl -o ona -fsSL "https://app.gitpod.io/releases/cli/stable/gitpod-$(uname -s | tr '[:upper:]' '[:lower:]')-$(uname -m | sed 's/x86_64/amd64/;s/\(arm64\|aarch64\)/arm64/')" && \
chmod +x ona && \
sudo mv ona /usr/local/bin
```
### Direct download
| Platform | Downloads |
| -------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------ |
| macOS | [x86\_64](https://app.gitpod.io/releases/cli/stable/gitpod-darwin-amd64) \| [arm64](https://app.gitpod.io/releases/cli/stable/gitpod-darwin-arm64) |
| Linux | [x86\_64](https://app.gitpod.io/releases/cli/stable/gitpod-linux-amd64) \| [arm64](https://app.gitpod.io/releases/cli/stable/gitpod-linux-arm64) |
| Windows | [x86\_64](https://app.gitpod.io/releases/cli/stable/gitpod-windows-amd64.exe) \| [arm64](https://app.gitpod.io/releases/cli/stable/gitpod-windows-arm64.exe) |
After downloading, make the binary executable and move it to your PATH:
```bash theme={null}
chmod +x ona
sudo mv ona /usr/local/bin
```
If macOS shows a security warning, approve the app in **System Settings → Privacy & Security**, or run:
```bash theme={null}
xattr -d com.apple.quarantine ona
```
**Verified installation**
Use SLSA verification during initial installation:
```bash theme={null}
curl -fsSL https://app.gitpod.io/releases/cli/install.sh | VERIFY_SLSA=true bash
```
Requirements: `jq`, `openssl`, `curl`
If SLSA verification fails, the installation aborts with an error. There is no fallback to unverified download - this ensures you're always notified of potential tampering.
**Manual [SLSA](https://slsa.dev) verification**
SLSA verification cryptographically proves the CLI was built by the official build system.
The verification script checks:
* Artifact SHA256 matches the attestation subject digest
* Provenance metadata confirms the build came from `gitpod-io/gitpod-next`
* Certificate was issued by Sigstore
* Entry exists in the Rekor transparency log
* DSSE envelope structure is valid
Requirements: `jq`, `openssl`, `curl`
```bash theme={null}
# Get manifest and extract packageHash for your platform
PLATFORM="linux-amd64" # or darwin-amd64, darwin-arm64, windows-amd64
MANIFEST=$(curl -sL https://app.gitpod.io/releases/cli/stable/manifest.json)
VERSION=$(echo "$MANIFEST" | jq -r '.version')
HASH=$(echo "$MANIFEST" | jq -r ".downloads[\"$PLATFORM\"].packageHash")
# Download tarball and attestation
BASE_URL="https://app.gitpod.io/releases/cli/releases/$VERSION"
curl -fsSL -O "$BASE_URL/$HASH.tar.gz"
curl -fsSL -O "$BASE_URL/$HASH.tar.gz.att"
# Download and run verification script
curl -fsSL -O https://app.gitpod.io/releases/cli/verify-slsa.sh
chmod +x verify-slsa.sh
./verify-slsa.sh "$HASH.tar.gz"
# Extract and install
tar -xzf "$HASH.tar.gz" ./ona-cli
chmod +x ona-cli
sudo mv ona-cli /usr/local/bin/ona
```
**Option 2: Checksum Verification**
Get the expected checksum:
```bash theme={null}
curl -sL https://app.gitpod.io/releases/cli/stable/manifest.json | jq -r '.downloads[""].digest'
```
Calculate your file's checksum and compare:
```bash theme={null}
shasum -a 256 ona
```
## Authentication
### Browser login
```bash theme={null}
ona login
```
Opens your browser to authenticate and stores credentials locally.
### Personal access token
For CI/CD pipelines and scripts, use a [personal access token](/ona/integrations/personal-access-token):
```bash theme={null}
ona login --token "your-token-here"
```
Or set the environment variable:
```bash theme={null}
export ONA_TOKEN="your-token-here"
ona login
```
### Inside Ona environments
The CLI is pre-installed and automatically authenticated with limited access. Run `ona login` to upgrade to full access.
When running inside an environment, the CLI automatically detects the current environment context. This means:
* **Environment ID is inferred**: Commands like `ona automations`, `ona environment port`, and other environment-specific commands work without requiring `--environment-id`
* **Context preserved after login**: When you run `ona login` inside an environment, the environment ID is preserved in your CLI context (as long as the login host matches the environment's host). This allows you to continue using environment-specific commands after authentication.
```bash theme={null}
# Inside an environment - no --environment-id needed
ona automations service list
ona environment port open 3000
# After running ona login, these still work without --environment-id
ona login
ona automations task start my-task
```
If you log into a different host than your environment (e.g., logging into `app.gitpod.io` from an environment on `ona.e-corp.com`), the environment ID will not be preserved.
## Common commands
| Command | Description |
| ------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------- |
| `ona whoami` | Show current user and access level |
| `ona environment list` | List your environments |
| `ona environment list --search ` | Search environments by ID, name, repository URL, or branch |
| `ona environment create ` | Create a new environment |
| `ona environment create --inactivity-timeout 1h` | Create an environment with a custom auto-stop timeout |
| `ona environment update --name ""` | Rename an environment |
| `ona environment update --inactivity-timeout 3h` | Update an environment's auto-stop timeout |
| `ona environment start ` | Start an environment |
| `ona environment stop ` | Stop an environment |
| `ona environment delete ` | Delete an environment |
| `ona environment ssh ` | SSH into an environment |
| `ona environment logs ` | View environment logs |
| `ona environment keep-alive` | [Keep environment alive](/ona/organizations/policies/environment-timeout#keep-environment-alive-during-long-running-tasks) while a process runs |
Use `-o json` or `-o yaml` for machine-readable output.
### Using partial environment IDs
Instead of typing full UUIDs, you can use any substring of an environment ID:
```bash theme={null}
# Full UUID
ona environment ssh 019194a6-f0b0-70a1-beae-99718c351b04
# Prefix
ona environment ssh 019194a6
# Suffix
ona environment ssh 351b04
# Any substring
ona environment ssh 70a1-beae
```
The CLI resolves the partial ID if it uniquely identifies an environment. If the substring matches multiple environments, you'll see an error listing all matching IDs. If no environments match, you'll be prompted to run `ona environment list` to see available environments.
### Using environment names
Give an environment a memorable name when you do not want to copy its UUID:
```bash theme={null}
# Rename an environment
ona environment update 019194a6 --name "api-dev"
# Use the name after renaming
ona environment ssh api-dev
ona environment port list api-dev
ona automations task start build --environment-id api-dev
```
Most user-facing environment commands accept an environment ID, a unique partial ID, or an exact environment name. Name matching is case-insensitive.
To clear a custom name, pass an empty value:
```bash theme={null}
ona environment update api-dev --name ""
```
Use `--inactivity-timeout` on `create` or `update` to set a custom auto-stop timeout. See [environment timeout](/ona/organizations/policies/environment-timeout) for details.
Names are not required to be unique. If a name matches more than one environment, the CLI asks you to use an environment ID instead.
Search across environment IDs, names, repository URLs, and branches with:
```bash theme={null}
ona environment list --search api-dev
```
## SSH access
Configure SSH for direct access:
```bash theme={null}
ona environment ssh-config
```
Then connect using:
```bash theme={null}
ssh .ona.environment
```
Generated SSH aliases and stored CLI contexts use environment IDs, not names. This keeps them stable if an environment is renamed.
You can also use partial environment IDs or environment names with the `ona environment ssh` command:
```bash theme={null}
# Connect using a prefix instead of the full UUID
ona environment ssh 019194a6
# Or use any unique substring
ona environment ssh beae-997
# Or use an exact environment name
ona environment ssh api-dev
```
For file transfers, use the `-O` flag:
```bash theme={null}
scp -O .ona.environment:/workspaces/project/file.txt ./local-file.txt
```
## Port management
```bash theme={null}
ona environment port list
ona environment port list api-dev
ona environment port open --name "my-service"
ona environment port close
```
## Automation commands
```bash theme={null}
ona automations init
ona automations update automations.yaml
ona automations task list
ona automations task start
ona automations task logs
ona automations service list
ona automations service start
```
Use `--environment-id ` to target a specific environment from outside that environment.
## Prebuild and warm pool commands
```bash theme={null}
# List prebuilds for a project
ona prebuild list --project-id
# Trigger a prebuild
ona prebuild trigger
# List all warm pools in the organization
ona prebuild warm-pool list
# List warm pools for a specific project
ona prebuild warm-pool list --project-id
# Create a warm pool (project admin required)
ona prebuild warm-pool create --environment-class-id --min-size 1 --max-size 2
# Get warm pool details
ona prebuild warm-pool get
# Update pool scaling bounds
ona prebuild warm-pool update --min-size 1 --max-size 3
# Delete a warm pool
ona prebuild warm-pool delete
```
See [Warm Pools](/ona/projects/warm-pools) for configuration and auditing details.
## Webhook commands
```bash theme={null}
ona webhook create --name "My Webhook" --type repository --scope "owner/repo" --provider github
ona webhook secret get
```
See [Webhooks](/ona/automations/webhooks) for setup details and SCM registration.
## Dotfiles management
Manage your dotfiles configuration directly from the CLI:
```bash theme={null}
# View current dotfiles configuration
ona user dotfiles get
# Set dotfiles repository
ona user dotfiles set --repository https://github.com/user/dotfiles
# Clear dotfiles configuration
ona user dotfiles set
```
The `get` command supports output formats:
```bash theme={null}
ona user dotfiles get -o json
ona user dotfiles get -o yaml
```
See [dotfiles documentation](/ona/configuration/dotfiles/overview) for more information about using dotfiles with Ona.
## Project and group management
```bash theme={null}
ona project list
ona project create
ona group list
ona group create --name "Team Name"
```
## Configuration
The CLI stores configuration at `~/.ona/configuration.yaml`.
```bash theme={null}
ona config context list
ona config context use
ona config set --autoupdate=true
ona config set --verify-slsa=true
ona config set --release-channel=latest
ona config set --organization-id=
```
## Shell completion
```bash theme={null}
# Bash
ona completion bash > /etc/bash_completion.d/ona
# Zsh
ona completion zsh > "${fpath[1]}/_ona"
# Fish
ona completion fish > ~/.config/fish/completions/ona.fish
```
## Updates
```bash theme={null}
ona version
ona version update
```
### SLSA verification for updates
Enable cryptographic verification of CLI updates to ensure binary integrity:
**Per-update verification:**
```bash theme={null}
ona version update --verify-slsa
```
**Persistent config:**
```bash theme={null}
ona config set --verify-slsa=true
ona version update # Now uses verification by default
```
The `--verify-slsa` flag takes precedence over the config value when explicitly set.
If SLSA verification fails, the update aborts with an error. There is no fallback to unverified download - this ensures you're always notified of potential tampering.
Run `ona help` or add `--help` to any command for more information.
## Troubleshooting
```bash theme={null}
ona login --non-interactive # For headless environments
ona login --token "" # Use token directly
```
If you see `too many authentication failures`, add to `~/.ssh/ona/config`:
```
Host *.ona.environment
IdentitiesOnly yes
```
Debug with:
```bash theme={null}
ssh -vvv .ona.environment
```