depmedic-bot

A GitHub App that audits every PR touching .github/workflows/*.yml with 16 cost, security, and hygiene rules from ci-doctor. One PR comment, updated as you push.

Install on GitHub CLI source Scan without installing

Public repos: free Private repos: $7/mo per repo (Marketplace, coming) Cloudflare Workers backed

What you get on every PR

When a PR opens or you push a new commit, the bot:

Lists changed files. If none touch .github/workflows/, it stays silent.
Fetches the changed workflow files at the PR's head SHA.
Runs ci-doctor against each YAML.
Posts (or updates) a single PR comment with a markdown table: file, line, severity, rule id, message.

No diff or repo content ever leaves Cloudflare; only your own YAML strings ride through. The findings are extracted lines from your config and a rule id - that's it.

What it catches (the 16 rules)

Cost

missing-timeout - jobs without timeout-minutes can burn hours.
missing-cache - npm ci / pip install without cache.
missing-concurrency - duplicate runs from rapid pushes.
expensive-runner - large/macos runners w/o platform-only commands.
matrix-overcommit - matrix that fans out beyond a sane bound.
e2e-on-every-push - heavy e2e jobs without a path filter or label gate.

Security & hygiene

action-no-pin - actions pinned to @v4 instead of a SHA.
script-injection - github.event.* interpolation into run: blocks.
token-permissions - missing permissions: block (defaults to write).
cache-key-fragile - cache keys without lockfile hashes.
missing-fetch-depth - blame / signed commits broken by shallow clones.
artifact-no-expiration - artifacts default to 90 days, racking up storage.
setup-no-pin - setup-node@v4 with no node-version lock.
workflow-dispatch-only - workflows that never run automatically (smoke test for dead config).

Sample comment

## depmedic-bot

**3 findings** across 1 workflow file: 1 error / 2 warn / 0 info.

| File | Line | Severity | Rule | Message |
| --- | --- | --- | --- | --- |
| `.github/workflows/ci.yml` | 14 | error | `script-injection` | github.event.head_commit.message interpolated directly into run: |
| `.github/workflows/ci.yml` | 22 | warn  | `action-no-pin`     | actions/checkout@v4 -> pin to a commit SHA |
| `.github/workflows/ci.yml` | 31 | warn  | `missing-timeout`   | job 'test' has no timeout-minutes (default: 360) |

<sub>Audited by depmedic-bot using ci-doctor. Run `npx ci-doctor --fix` to auto-apply the safe fixes.</sub>

Install

Click Install on GitHub.
Pick the org or user. Pick "all repos" or just a few.
Open or push to a PR that touches a workflow. Comment appears within ~10 seconds.

Privacy

Webhook deliveries are HMAC-SHA256 verified before any work runs.
The Worker never persists workflow contents; only the install id + account login (so the bot knows who to authenticate as).
Findings reference your own YAML lines and rule ids. Nothing else.
The Worker is open source and lives in depmedic-bot-worker.

Pricing

Public repos: free, forever. The whole reason this thing exists is to push the OSS ecosystem toward sane CI defaults.

Private repos: $7/mo per repo via GitHub Marketplace (listing pending). Same engine, same rules, billed by GitHub.

Need org-wide rollout, custom rules, or SSO? Email depmedicdev@gmail.com - depmedic Org plan is $99/mo flat for unlimited private repos and includes Org Dep Health Monitor.

FAQ

Will this comment on every commit?

No. One comment per PR, updated in place as you push. Closed PRs are never touched.

What about non-workflow files?

The bot stays silent. It only fires when a file under .github/workflows/ changes.

Does it block merges?

No. It posts a comment. You decide whether the findings are blocking. (If you want a check, run ci-doctor in your existing CI pipeline.)

Can I get the same audit without installing the App?

Yes - either scan in the browser (paste YAML or repo URL) or npx ci-doctor locally.

What about GitLab?

Use scan-gitlab.html or npx gitlab-ci-doctor. The GitLab equivalent of the bot is on the roadmap.