depmedic → ci-doctor-action

ci-doctor-action

A GitHub Action that audits your workflows for waste, cost leaks, and security gaps on every pull request. 16 rules. Sticky PR comment. SARIF upload to Code Scanning. MIT, no telemetry, no auth.

Action v1.0.0 16 rules SARIF PR comment

Three lines, every PR audited

Drop into any repo. Reads .github/workflows/. Posts a sticky markdown comment. Uploads SARIF to your Security tab.

GitHub Marketplace Source on GitHub

Quick start

Save as .github/workflows/ci-doctor.yml:

name: ci-doctor
on:
  pull_request:
    paths:
      - '.github/workflows/**'
permissions:
  contents: read
  pull-requests: write
  security-events: write
jobs:
  audit:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: depmedicdev-byte/ci-doctor-action@v1

What you get

Sticky PR comment — one comment per PR, updated in place when you push fixes.
SARIF upload — findings appear under the Security → Code scanning tab.
Severity gating — default is fail-on-error; set to warn for stricter teams, info for fanatics.
Pinnable — pin the action to @v1.0.0 or @<sha> and pin ci-doctor-version: '0.5.0' for fully reproducible audits.
Self-hosted-runner safe — no Docker required, just Node.

Inputs

input	default	what it does
`path`	`.`	Path to scan; auto-discovers `.github/workflows`.
`fail-on`	`error`	Severity threshold for non-zero exit: `info` \| `warn` \| `error`.
`upload-sarif`	`true`	Upload SARIF to Code Scanning. Needs `security-events: write`.
`comment-on-pr`	`true`	Post a sticky markdown comment. Needs `pull-requests: write`.
`ci-doctor-version`	`latest`	Pin to a specific npm version of `ci-doctor`.
`only`	empty	Comma-separated rule IDs to run exclusively.
`disable`	empty	Comma-separated rule IDs to skip.

Outputs

sarif-path — ci-doctor.sarif
markdown-path — ci-doctor.md
finding-count — total findings (integer)

What it checks

16 rules — full descriptions on the rules page.

category	rules
security	`no-pin-actions`, `pull-request-target-checkout`, `script-injection-context`, `insecure-checkout-token`, `docker-no-pin`, `after-script-leaks`
cost	`expensive-runner`, `missing-concurrency`, `missing-cache`, `wide-paths`, `cron-storm`, `service-no-healthcheck`
reliability	`flaky-retries`, `missing-timeout-minutes`, `legacy-actions-version`
hygiene	`actions-floating-tag`

Recipes

Block PRs only on errors (default)

- uses: depmedicdev-byte/ci-doctor-action@v1
  with:
    fail-on: error

Hard mode: block any warning

- uses: depmedicdev-byte/ci-doctor-action@v1
  with:
    fail-on: warn

Disable a noisy rule

- uses: depmedicdev-byte/ci-doctor-action@v1
  with:
    disable: missing-concurrency,no-pin-actions

Pin everything (recommended for prod)

- uses: depmedicdev-byte/ci-doctor-action@1bd71901bbe5b1630ceea73d27597364c9af683 # v1.0.0
  with:
    ci-doctor-version: '0.5.0'

Family

ci-doctor — the underlying CLI (16 rules)
depmedic-vscode — same 16 rules, inline in your editor
depmedic-bot — zero-config GitHub App version
gitlab-ci-doctor — GitLab CI port
bitbucket-ci-doctor — Bitbucket Pipelines port
/scan.html — in-browser scanner