Push flows, dashboards, Namespace Files, and execution outputs to any Git provider. Pull back on schedule or webhook. Treat Git as the source of truth, with bidirectional namespace sync, dryRun diffs before every change, protected namespaces, and clone any external repo at flow runtime.
Make Git the source of truth for every flow with an orchestration engine that listens to schedules or PR webhooks, handles bidirectional namespace sync with dryRun diffs and protected namespaces, and chains Clone with Terraform, dbt, and Ansible pulled fresh at runtime. Cut the gap from Git merge to deploy down to the next 5-minute reconcile.
Kestra runs orchestration. Git holds the source of truth for what runs. The plugin lets you choose which side wins, push and pull by artifact type, sync an entire tenant, dryRun every change first, and clone external repos at runtime so the working directory is always fresh.
NamespaceSync syncs one namespace between a Git branch and Kestra. Set sourceOfTruth: GIT and Kestra reconciles to match the repo, deleting flows that disappeared from main. Set sourceOfTruth: KESTRA and the repo follows what was edited in the UI. whenMissingInSource controls deletion behavior: DELETE, KEEP, or FAIL. The direction is explicit, never implicit.
Four push tasks, one per artifact. PushFlows commits flow YAML under _flows/. PushNamespaceFiles commits files under _files/. PushDashboards commits saved dashboards under _dashboards/. PushExecutionFiles commits run outputs under _outputs/. Run them in parallel across different namespaces, or sequence them inside one namespace to avoid merge conflicts.
TenantSync synchronizes every namespace, flow, Namespace File, and dashboard in a tenant in one task. Push from staging-Kestra, pull into prod-Kestra, gated by review. The whole platform state moves between environments through a Git branch with protectedNamespaces keeping critical prod namespaces safe from accidental deletion.
Every push and sync task supports dryRun: true. The task computes the full diff and writes it to Kestra's internal storage as an ion file without applying anything. Plug into a review workflow: dryRun on a Schedule, post the diff to Slack or open a PR, gate the apply behind human approval, then re-run with dryRun: false.
git.Clone brings external code into the working directory at execution time. Pin a branch, a tag, or a commit. cloneSubmodules: true pulls submodules. The cloned files become the input to subsequent steps (dbt CLI, Terraform CLI, scripts.python). No baked-in artifacts in container images, no stale copies, no rebuild to ship a new dbt project version.
The protectedNamespaces list (defaults to [system]) is never deleted, even when whenMissingInSource: DELETE would otherwise remove it. Add prod, finance, or compliance to the list and a Git sync cannot accidentally wipe them. Combine with dryRun for two independent safety layers before a destructive operation.
Patterns teams ship in production today. Each one shows the flow end to end, with the real plugin classes in play.
A scheduled flow in the system namespace runs NamespaceSync with sourceOfTruth: GIT every five minutes against the main branch of the platform repo. Flows added in Git appear in Kestra. Flows deleted in Git disappear from Kestra (except those listed in protectedNamespaces). The Kestra UI becomes a read-only window onto what is committed to main.
If someone edits a flow in the UI by mistake, the next sync overwrites it from main. The intended state lives in Git.
Remove a flow from Git and the next sync removes it from Kestra, unless its namespace is in protectedNamespaces.
Merge a PR to main and the next 5-minute sync deploys it. No separate CI step, no kestra-deploy.sh script.
The NamespaceSync output includes a diff file. The follow-up Slack step posts what changed since the last reconcile.
An hourly flow runs PushFlows with dryRun: true against the platform repo. The diff lands in Kestra's internal storage. A follow-up step posts a link to the diff in Slack with a review request. Once approved (manually, or by a bot that opens a PR), the same task re-runs with dryRun: false and commits. Every change in Kestra ends up in Git with attributable authorship.
The first PushFlows runs in plan-only mode. No commit lands until the reviewer resumes the flow.
Run PushFlows, PushNamespaceFiles, PushDashboards in parallel for the same namespace, each landing in its own _flows / _files / _dashboards subdirectory.
PushFlows output includes the commitURL. The follow-up Slack message includes a direct link to the commit on GitHub or GitLab.
The flow runs Clone against the data-platform repo at a pinned branch. Submodules pulled. The dbt project lands in the working directory. The next task runs dbt build against the freshly cloned project. Branch, tag, or commit can be pinned per-execution as a flow input, so the same flow definition deploys feature branches in CI and main in prod without a container rebuild.
Pass branch, tag, or commit at execution time. CI runs the feature branch, prod runs main, no separate flow definition.
cloneSubmodules: true brings in nested repos (shared macros, dbt packages, internal libs) at runtime.
The dbt CLI task does not need a separate path config. The clone landed in working dir, dbt picks it up directly.
Updating the dbt models is a Git push, not a Docker image rebuild and registry push.
A release flow in staging-Kestra runs TenantSync with sourceOfTruth: KESTRA, dryRun: true. The diff lands and Slack posts the link. After human approval (Pause + reviewer), the same task re-runs with dryRun: false to commit the staging state to a release branch. A second flow in prod-Kestra runs TenantSync with sourceOfTruth: GIT and protectedNamespaces: [prod-finance, prod-compliance] to safely apply. The entire platform state moves through Git, gated, audited, reversible.
TenantSync handles every namespace, flow, Namespace File, and dashboard in the tenant at once. No per-namespace orchestration loop.
prod-finance, prod-compliance stay safe even if whenMissingInSource: DELETE. Add prod-billing or any other critical namespace as needed.
First on staging export, then on prod apply. Two independent reviews before any destructive operation runs in prod.
Every promotion is a Git commit. Reverting the platform state is a git revert + re-run TenantSync, not a manual recovery.
We needed orchestration built for flexibility and scale, without forcing us to rewrite our existing pipelines. Kestra fit naturally into our stack and enabled our teams to move quickly without disruption.
| Capability | | Manual export + git CLI on the Kestra host | | |
|---|---|---|---|---|
| Bidirectional sync with explicit source of truth | sourceOfTruth: GIT or KESTRA, whenMissingInSource controls deletion | Manual, no direction enforcement | Write your own diff logic | No sync, only manual edits |
| Push by artifact type (flows, files, dashboards, outputs) | Four dedicated tasks, parallel-safe | Manual per-artifact | Build the export endpoints yourself | Not supported |
| Tenant-wide sync in one task | TenantSync, every namespace + artifact in one call | Loop over namespaces in shell | Loop in code | Manual per-namespace UI clicks |
| dryRun: plan-only mode before any change | Every push and sync task supports dryRun | Not available, every git push lands | Implement diff logic yourself | Not applicable |
| Protected namespaces (never deleted during sync) | protectedNamespaces list on every sync task | Manual safeguards | Code the protection yourself | Not applicable |
| Clone external repos at flow runtime | git.Clone with branch, tag, commit, submodule support | Shell + git CLI inside the task | Custom code | Bake the artifacts into the image |
| Cross-environment promotion via Git | TenantSync staging to Git, Git to prod, gated | Manual file copy | Custom CI pipeline | Re-create flows in prod UI |
| Audit trail of who pushed what when | Commit author + Kestra execution ID per change | Git commits only, no execution link | Custom log correlation | Kestra audit only, no Git side |
| Self-hosted, air-gapped, OSS edition | Self-hosted by default, OSS edition free | Self-hosted | Self-hosted | Self-hosted |
Find answers to your questions right here, and don't hesitate to Contact Us if you couldn't find what you're looking for.
Version control flows with Git
Step-by-step on declaring flows in Git, syncing between Kestra and your repo, and gating production with dryRun reviews.
Chain Git operations with the rest of the stack
Common pattern: clone an external repo, run Terraform or dbt against the fresh checkout, push results back. See how Git fits alongside Terraform, dbt, and Argo CD orchestration.
Git plugin reference
Every Git task (Clone, NamespaceSync, TenantSync, PushFlows, PushNamespaceFiles, PushDashboards, SyncFlows, and more) with copy-ready YAML examples and full property reference.
Push flows, files, and dashboards to any Git provider. Reconcile from Git on schedule. dryRun every change first. Protect critical namespaces. Clone external repos at runtime. Open source, self-hosted, event-driven.
