Source Control & Environments · Deep Dive
Intro 01 / 00

n8n Source Control
& Environments

How n8n uses Git to give your team separate development and production environments, version-controlled workflows, and side-by-side deployment diffs - without leaving n8n.

Git-backed environments Branch patterns Push & pull Workflow diffs Enterprise features Auto-deployment
Avanai Press → to begin · ? for help
The problem

One n8n instance means one mistake away from breaking production.

Without environments, every workflow edit is live. There's no safe place to test changes, no way to review what changed before it ships, and no rollback if something breaks. n8n solves this with Git-backed environments - the same model engineers use for code, applied to automation.

🔥

No isolation

Changes to a workflow in production immediately affect live executions - no staging buffer.

👻

No history

Without Git, there is no record of what changed, who changed it, or what it looked like before.

🤞

No confidence

Teams avoid touching workflows because a small mistake can break customer-facing automations.

01 · Intro
The solution

n8n environments: Git as the backbone.

n8n links each instance to a Git branch. Work flows from development to production via push, merge, and pull - the same pattern engineers trust for code.

🛠

Development instance

Where your team builds and tests workflows freely.

↓ push
🐙

Git repository

Source of truth. Stores workflow files, tags, credential stubs.

↓ pull
🚀

Production instance

Only receives reviewed, approved changes.

What gets stored in Git

Workflow JSON, tags, variable stubs, credential stubs (not values), data table schemas, projects, folders.

What stays local

Credential values, variable values, execution history, row data in data tables.

Feature availability

Available on Business and Enterprise plans. Instance owners and admins configure source control.

01 · Intro
02

Git & Environments

Concepts, terminology, and how n8n maps to Git.

02 · Git & Environments
Git in n8n

Three concepts. That's all you need.

n8n doesn't implement full Git - it uses three operations to move work between instances and the repository.

⬆️

Push

Send selected workflows (and all tags/variable stubs) from your n8n instance to the Git repository. You choose which workflows. n8n commit and push happen together.

⬇️

Pull

Fetch workflows, tags, and variable stubs from Git into n8n. Overwrites local copies. You must set credential and variable values manually after pulling to a new instance.

🌿

Branch

Each n8n instance connects to one Git branch. The branch stores a snapshot of that environment's workflows. Multiple instances can share one branch, or each can have its own.

⚠️ Pulling overwrites your work. Always push your local changes before pulling, or you risk losing edits that haven't been saved to Git yet.

02 · Git & Environments
Source control in action

What it looks like inside n8n.

Push & Pull Branch Lock

The source control panel lets you push selected workflows to Git or pull the latest from your branch. When the branch is locked, the entire n8n UI freezes - no new workflows can be created or edited, protecting production from accidental changes.

n8n source control push/pull panel
Workflow Selector

Before pushing or pulling, project managers see a selection dialog listing every workflow. Check or uncheck individual workflows to control exactly what goes into the commit - giving full control over what reaches production.

n8n workflow selector dialog for push/pull
02 · Git & Environments
Environments in n8n

An environment = an n8n instance + a Git branch.

In software development, an environment is all the infrastructure and tooling around your code. In n8n, it's your instance configuration combined with the workflows and settings on a specific Git branch.

The n8n instance

Where workflows run. Can be cloud-hosted or self-hosted. Has its own configuration, credentials, and settings. The "runtime" half of an environment.

The Git branch

Stores the workflow definitions, tags, variable stubs, and credential stubs. The "code" half of an environment. This is the source of truth.

Credentials & variable values

Not synced to Git. You must configure them manually per instance. Use external secrets (HashiCorp Vault, AWS Secrets Manager) to manage different credentials per environment from one vault.

Common pattern

Development instance - make changes freely. Production instance - protected, only receives reviewed work via Git merge + pull. Add test/staging as your team grows.

02 · Git & Environments
03

Branch Patterns

The four ways to wire n8n instances to Git branches - and when to use each.

03 · Branch Patterns
All four patterns at a glance

Choose the pattern that fits your team.

Recommended

Multi-instance · Multi-branch

Each instance owns its own branch. Work moves via pull request - the safest gate to production.

n8n Instance Git Branch ① DEVELOP Dev n8n Instance push branch-dev Git repository ② PR + MERGE branch-prod Git repository ③ PULL TO PROD pull Prod n8n Instance
Simpler setup

Multi-instance · One branch

Dev pushes, Prod pulls - both share one branch. No PR required.

n8n Instance Git Branch Dev n8n Instance push main Shared Git branch workflow files stored here full version history ← Dev pushes · Prod pulls → pull Prod n8n Instance No PR needed - both instances share one branch
Review workflows

One instance · Multi-branch

One instance switches between branches to review different users' work.

Reviewer n8n Instance branch-A Git · User A's work branch-B Git · User B's work pull push back pull push back Reviewer switches active branch to inspect each user's work
Simplest

One instance · One branch

Single instance pushing to one branch. Ideal for version history and backup.

n8n Instance build & run workflows trigger executions push save to Git pull restore from Git main Git branch workflow files full version history Use case: version history, backup, solo teams
03 · Branch Patterns
Pattern deep dive

Multi-instance, multi-branch: the safest path to production.

Advantages
  • Changes only reach production after a pull request review in GitHub/GitLab - an extra safety gate.
  • Supports more than two instances (dev, test, staging, prod on separate branches).
  • Full Git history per branch - easy to roll back by reverting a commit.
  • Workflow diffs show exactly what changed between branches before merging.
Trade-offs
  • More steps to move work: push - pull request - merge - pull. Slower for hotfixes.
  • Requires familiarity with pull requests in your Git provider.
  • Automating the final pull step (GitHub Action) reduces friction significantly.
Typical workflow
Multi-branch
1
Build and test workflows on the development instance
2
Push from development to the development branch in Git
3
Open a pull request in GitHub/GitLab to merge dev → production branch
4
Review the diff, approve, and merge
5
Pull in the production instance (manually or via GitHub Action automation)
03 · Branch Patterns
Pattern deep dive

Multi-instance, one branch: fast but requires discipline.

Both development and production instances connect to the same branch. When you push from dev, the work is immediately available for production to pull.

Advantages
  • Simpler setup - one branch to manage.
  • Work is available to pull into production immediately after pushing from dev.
  • Also useful for testing n8n version upgrades: spin up a new instance on the same branch to test the new version, while production stays on the old one.
Risks
  • An accidental push of unfinished work is immediately available to production.
  • If you use a GitHub Action to auto-pull to production on every push, never push work you don't want in production.
  • Pushing and pulling on the same instance can cause data loss - keep work flowing one direction.

💡 n8n's recommendation: Design work to flow in one direction only - either to Git or from Git, not both on the same instance. Don't push all workflows - only select what you need.

03 · Branch Patterns
04

Setup & Usage

Connecting n8n to Git, pushing, pulling, and resolving merge behaviors.

04 · Setup & Usage
Setup

Four steps to connect n8n to Git.

Step by step
Settings > Environments
1
Create your repository and branches - one branch per environment (e.g. development, production).
2
Configure Git in n8n - go to Settings > Environments, enter your repository URL (SSH or HTTPS), and copy the SSH key or enter your Personal Access Token.
3
Set up authentication - for SSH: add n8n's deploy key to your Git provider with write access. For HTTPS: create a PAT with repo read/write permissions.
4
Connect and configure - click Connect, choose the branch for this instance, optionally enable Protected Instance (recommended for production), optionally set a color to identify the instance.

SSH (recommended)

n8n generates an ED25519 (or RSA) key pair. Add the public key as a deploy key in GitHub/GitLab with write access. More secure than HTTPS for automation.

HTTPS + PAT

Create a Personal Access Token. GitHub needs Contents read/write. GitLab needs Source code pull/push. Bitbucket: use an App Password.

Protected instance

Prevents users from editing source-controlled resources directly in this instance. Enable this on production. Users can still run workflows.

04 · Setup & Usage
Pushing work to Git

Push: save your work to Git selectively.

Instance owners, instance admins, and project admins can push. n8n pushes the saved version of a workflow, not the published version.

Push flow
Push button in main menu
1
Select Push in the main menu.
2
In the Commit modal, select which workflows and data tables to push. Filter by status: new, modified, or deleted. Search by name.
3
Write a commit message - one sentence describing the change.
4
Click Commit and Push. n8n automatically includes tags, variable stubs, and credential stubs.

What gets committed

  • ✅ Workflow JSON (you choose which)
  • ✅ Credential stubs - ID, name, type only
  • ✅ Variable stubs - ID and name only
  • ✅ Data table schemas (you choose which)
  • ✅ Projects and folders
  • ❌ Credential values
  • ❌ Variable values
  • ❌ Data table row data

Best practice

Push immediately after finishing work on a workflow. Don't push everything at once - select only what changed. This makes it safe to pull later.

04 · Setup & Usage
Pulling from Git

Pull: load Git's version into n8n.

Instance owners and instance admins only. Pulling fetches workflows, tags, and variable stubs from Git and loads them into n8n - overwriting local copies.

Auto publish on pull

Three modes in the pull modal: Off (keep current state), If already published (only re-publish existing), On (publish all including new). Archived workflows are never auto-published.

Ownership after pull

n8n matches workflows to users by email. If the owner isn't on the new instance, the person pulling becomes the owner. Projects are matched by name - created if missing.

Deleted resources

Resources deleted from the repository don't auto-delete locally. n8n notifies you and asks if you'd like to delete them.

⚠️ Pulling a published workflow

n8n unpublishes the workflow, applies the update, then republishes it. This causes a few seconds of downtime. Plan pulls during low-traffic windows for critical workflows.

Column removal warning

If a pulled data table has columns removed vs. your local version, n8n deletes those columns and their data permanently. n8n warns you in the pull modal before this happens.

Available via API

Use POST /api/v1/source-control/pull with "force": true to trigger pulls programmatically - ideal for automation via GitHub Actions.

04 · Setup & Usage
Merge behaviors

n8n is opinionated about conflicts. That's a feature.

n8n auto-resolves conflicts for credentials, variables, and tags. Workflows require explicit decisions from you.

Resource
On push
On pull
Workflows
Your local version overwrites Git. Make sure you have the latest.
Git version overwrites local. You're warned if they differ.
Credentials
Overwrites the stub in Git with current name/type.
Creates if missing. Updates only if name has changed in Git.
Variables
Overwrites the entire variables file in Git.
Creates if missing. Doesn't update existing - unless API-set.
Tags
Overwrites the entire tags file in Git.
Creates if missing. Updates name if renamed in Git.
Data tables
Exports table name, column names, types, and order.
Creates new tables. Updates schema - column removal deletes data.

💡 Use external secrets (HashiCorp Vault, AWS Secrets Manager, Azure Key Vault, GCP Secrets Manager) to manage different credential values across environments from a single vault, without storing them in Git.

04 · Setup & Usage
05

Track Changes & Workflow Diffs

See exactly what changed before you push to production.

05 · Track Changes
Enterprise feature

Workflow diffs: see every change before it ships.

Compare the workflow on your instance against the version in Git - side by side, node by node - before committing to push or pull.

Where to access

Click the diff icon next to any workflow in the Commit and Push modal (when pushing) or the Modified Changes modal (when pulling).

Layout

Two workflows stacked vertically. Top panel = the version that will receive changes. Bottom panel = the version it's being compared against.

Node-level JSON diff

Click any modified node to see the exact configuration before and after - field by field. No guessing what changed.

N

Added

New nodes or connectors - shown in green.

M

Modified

Changed nodes or connectors - shown in orange. Click to inspect JSON diff.

D

Deleted

Removed nodes or connectors - shown in red.

Navigation

Changes counter in top-right. Next/previous arrows cycle through each change. Back button returns to the commit/pull modal.

Who can access

Instance owners, instance admins, and project admins only.

05 · Track Changes
Workflow diff in action

Example: catching a Pinecone namespace change before production.

n8n workflow diff showing Pinecone Vector Store namespace change

The workflow

Google Drive triggers - file download - embeddings - Pinecone Vector Store - AI Agent (with Slack and Notion tools).

The diff caught

The Pinecone Vector Store node's options field changed from {} to { "pineconeNamespace": "Internal documentation" } - a namespace being added for the vector store.

Why this matters

Without the diff, a developer might push this namespace change without realizing it would affect how documents are stored and retrieved in production - causing silent data routing issues.

Result

Team reviews the diff, confirms the change is intentional, and pushes with confidence. Zero surprises in production.

05 · Track Changes
06

Deploy & Automate

Copying work between environments and removing the manual pull step.

06 · Deploy & Automate
Copying work between environments

Single branch vs. multi-branch: different deployment paths.

Single branch deployment

Simplest path. Both instances share the same branch.

1
Push from development instance to Git
2
Pull in production instance (or automate via API)

Multi-branch deployment

Safer path with a mandatory review gate.

1
Push from development instance to development branch
2
Open a pull request: development → production branch
3
Review the diff, approve, and merge
4
Pull in production instance (or automate)

Git provider merge docs

GitHub: Creating a pull request  ·  GitLab: Creating merge requests  ·  Bitbucket: Create a pull request

06 · Deploy & Automate
Automated deployments

Remove the manual pull step with a GitHub Action.

Use n8n's /source-control/pull API endpoint to trigger a pull programmatically after merging - so production updates itself.

API call

curl --request POST \   --location '<YOUR-INSTANCE-URL>/api/v1/source-control/pull' \   --header 'Content-Type: application/json' \   --header 'X-N8N-API-KEY: <YOUR-API-KEY>' \   --data '{"force": true}'

GitHub Action (.github/workflows/deploy.yml)

name: Deploy to n8n Production on:   push:     branches: [ "production" ]   workflow_dispatch: jobs:   run-pull:     runs-on: ubuntu-latest     steps:       - name: PULL         run: >           curl --location '${{ secrets.INSTANCE_URL }}/version-control/pull'           --header 'X-N8N-API-KEY: ${{ secrets.INSTANCE_API_KEY }}'

Store INSTANCE_URL and INSTANCE_API_KEY as GitHub secrets - never in the workflow file. The same pattern works with GitLab CI/CD pipelines.

06 · Deploy & Automate
07

Enterprise Features

Security, governance, scale, and observability for production-grade automation.

07 · Enterprise
Governance & Security

Enterprise-grade control over every part of n8n.

🏗

Self-hosted or cloud

Run n8n on your own infrastructure or managed cloud. Full control over data residency, network, and configuration.

🔑

SSO, SAML, LDAP

Provision users via your existing identity provider. 2FA enforced. Compliant with strict enterprise security standards.

🔐

External secrets vaults

HashiCorp Vault, AWS Secrets Manager, Azure Key Vault, GCP Secrets Manager. Inject credentials at runtime - not stored in n8n or Git.

🛡

Fine-grained RBAC

Custom project roles. Control view, edit, deploy, and manage permissions per user, team, or API - at the project level.

📊

Log streaming

Stream all workflow events to your observability stack via direct integrations or webhooks to any monitoring solution.

SOC 2 audited

Cloud offering is SOC 2 audited with regular external pen tests. Security posture and certifications available in the Trust Center.

07 · Enterprise
Performance & Monitoring

AI workflows you can trust at enterprise scale.

200+
Executions per second in queue mode (benchmark on AWS c5.4xlarge)
Horizontal scaling - add workers to absorb any traffic spike
0
Downtime with automatic failover via multi-main setup

AI Evaluations

Test AI agent workflows with real data before deploying. Track correctness and speed at every stage. Ensure consistent results across model updates.

Queue mode & Multi-main

Run workers horizontally in parallel. Multi-main provides automatic failover so one crashed instance doesn't take down your automation.

Insights

Executions, failure rate, time saved - at a glance. Per-workflow data helps you optimize and demonstrate ROI to stakeholders.

07 · Enterprise
Feature availability

What's on which plan.

Feature Plan Notes
Source control & environmentsBusiness EnterpriseInstance owners and admins configure; project admins can push
Workflow diffs (compare changes)EnterpriseRequires environments feature enabled
External secrets vaultsEnterprise Self-hosted & Cloud1Password, AWS, Azure, GCP, HashiCorp
SSO / SAML / LDAPEnterpriseIncludes 2FA enforcement
Custom project roles (RBAC)EnterpriseFine-grained per-action permissions
AI EvaluationsEnterpriseTest AI agents with real data pre-deploy
Queue mode & Multi-mainEnterprise Self-hosted200+ executions/sec; automatic failover
InsightsBusiness EnterpriseExecution metrics and ROI tracking
Unlimited projectsBusiness EnterpriseIsolate workflows per team or use case
SOC 2 complianceAll Cloud plansRegular external pen tests
07 · Enterprise
08

End-to-End Tutorial

Stand up dev and production environments in one session.

08 · Tutorial
Tutorial · Multi-branch pattern (recommended)

Dev + prod environments with GitHub in one session.

GitHub setup
Do this first
1
Create a private GitHub repository with a README (creates main branch automatically).
2
Create two branches: development and production.
3
Add n8n's SSH key as a deploy key with write access (Settings > Deploy keys).
n8n setup (repeat for both instances)
4
Go to Settings > Environments, enter SSH URL, copy SSH key.
5
Click Connect. Choose development branch for the dev instance, production branch for prod.
6
On the production instance, enable Protected instance.
The deployment loop
Ongoing
1
Build and test workflows on the dev instance.
2
Push from dev - select workflows, write a commit message.
3
In GitHub, open a pull request from development to production.
4
Review the diff. Approve and merge.
5
Pull in the production instance (or use GitHub Action to automate).
Tip: set up the GitHub Action on slide 21 to remove step 5 entirely.
08 · Tutorial
Tutorial · Single-branch pattern (simpler)

Both instances, one branch - fastest to set up.

GitHub setup
1
Create a private repository with a README (creates the main branch).
2
Add n8n's SSH deploy key with write access.
n8n setup (both instances)
3
Settings > Environments - enter SSH URL, connect.
4
Both instances select the main branch.
5
Production instance: enable Protected instance.
When to use single-branch
  • Small team with high trust - everyone knows not to push unfinished work.
  • You want the simplest possible setup to start with and can migrate to multi-branch later.
  • You're not using GitHub Actions to auto-pull to production.
When to move to multi-branch
  • Your team is growing and you want a mandatory review gate before production.
  • You want to automate pulls to production on merge without risk of shipping unreviewed changes.
  • You need an audit trail of what merged when and who approved it.
08 · Tutorial

Thank you.

Questions, feedback, or ready to set up environments? Reach out to the Avanai team.

avanai.io  ·  n8n.io/enterprise

Avanai × n8n
Official Partners
Avanai · 2026

Keyboard shortcuts

→ / l
Next slide
← / h
Previous slide
Space / ↓
Scroll down / next
Scroll up / prev
Home
First slide
End
Last slide
f / F
Fullscreen
?
This help