v0.5.0 - docker-no-pin + service-no-healthcheck

Two new rules. Now 16 total. All 46 tests green.

• docker-no-pin (warn, security): flags container/service images and docker:// step refs that use floating tags (:latest, :node, :22, :alpine...) instead of a digest.
• service-no-healthcheck (warn, cost): flags well-known service containers (postgres, mysql, redis, mongo, kafka...) without a --health-cmd in their options: block. Test steps that race the service start fail intermittently and burn re-run minutes.

No breaking changes. Existing 14 rules unchanged. SARIF and markdown reporters automatically include the new rules.

npx ci-doctor@0.5.0 to try.

ci-doctor 0.4.1

ci-doctor 0.4.1 - GitHub Action ready

Three new cost rules + a CLI bug fix surfaced by dogfooding.

New rules

• stale-cache-key (warn): actions/cache keys that don't include a lockfile hash never invalidate when deps change.
• fail-fast-true (info): matrix jobs using default fail-fast: true cancel sibling jobs and waste already-billed minutes.
• always-run-on-pr (info): heavy steps (docker build, e2e, codeql) running on every PR with no paths: filter.

Fixed

• ci-doctor path/to/file.yml no longer crashes with ENOTDIR when given a single file (it only handled directories).

Use as a GitHub Action

- uses: depmedicdev-byte/ci-doctor@v1
  with:
    fail-on: error      # error | warn | info | never
    comment: 'true'     # post a PR comment with findings

Or pin to the immutable tag: depmedicdev-byte/ci-doctor@v0.4.1.

Use as a CLI

npx ci-doctor             # 14-rule audit
npx ci-doctor --fix       # auto-apply the 4 safe fixes
npx ci-doctor --sarif > results.sarif

Numbers from the OSS benchmark dataset (229 workflows, 20 popular repos)

• 944 total findings
• 19 stale-cache-key hits
• 13 fail-fast-true hits
• 10 always-run-on-pr hits

Methodology and per-repo breakdown: https://depmedicdev-byte.github.io/benchmarks.html
Per-repo deep dives: https://depmedicdev-byte.github.io/examples/
All 14 rules explained: https://depmedicdev-byte.github.io/rules.html

v0.3.0

ci-doctor 0.3.0 - SARIF for GitHub Code Scanning

ci-doctor findings now flow into GitHub's native security UI. Run with --sarif, upload with the official codeql-action/upload-sarif@v3, and findings show up as inline PR annotations and in the repo's Security tab.

Severity mapping

ci-doctor	SARIF level	Where it shows in GitHub
error	error	red annotation, blocks merge if required
warn	warning	yellow annotation
info	note	grey annotation

Drop-in workflow

name: ci-doctor
on:
  pull_request:
permissions:
  contents: read
  security-events: write
jobs:
  audit:
    runs-on: ubuntu-latest
    timeout-minutes: 5
    steps:
      - uses: actions/checkout@v4
      - run: npx ci-doctor --sarif > ci-doctor.sarif || true
      - uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: ci-doctor.sarif

What's also in this release

• The driver advertises every rule with description and default level so the Code Scanning UI can show meaningful rule names.
• File paths in artifactLocation are normalised to forward slashes for cross-platform consumers.
• 6 new tests, full suite green on Node 18 / 20 / 22.

Install

npx ci-doctor@0.3.0

--fix from 0.2 still works the same way.

v0.2.0

ci-doctor 0.2.0 - --fix mode

ci-doctor is no longer read-only. The new --fix flag rewrites your workflow files in place to fix the issues that have a single safe answer.

What --fix applies

Rule	Auto-fix
missing-permissions	adds top-level permissions: { contents: read }
missing-concurrency	adds concurrency block with cancel-in-progress
missing-timeout	adds timeout-minutes: 15 per job missing it
artifact-no-retention	adds retention-days: 7 to actions/upload-artifact

Comments and ordering of existing keys are preserved (uses yaml.parseDocument).

Usage

npx ci-doctor --fix             # write changes
npx ci-doctor --fix --dry-run   # preview the patched yaml on stdout
npx ci-doctor --fix --only=missing-timeout

What --fix does NOT touch

Anything that requires a judgment call:

• cache ecosystem (npm/pip/gradle/...)
• action major-version bumps
• SHA pinning -> use the companion CLI pin-actions
• runner cost decisions

These keep their warning so a human can decide.

Install

npx ci-doctor@0.2.0

8 new tests, full suite green on Node 18 / 20 / 22.

v0.1.4

pinned-action-sha rule now points users at the new free CLI pin-actions which fixes the issue automatically. Markdown reporter footer also references gha-budget for dollar costs. Animated demo + badges in README. CI workflow is fully SHA-pinned.

Install: npx ci-doctor or npx ci-doctor --demo

v0.1.1 - real demo + example workflow

Docs-only release.

• Add examples/bad-workflow/ so the README demo is runnable from a clone.
• README demo block now shows real ci-doctor output (7 findings) from examples/bad-workflow/, instead of an abridged 4-finding sample.
• No engine or rule changes.

Install: npm install -g ci-doctor or npx ci-doctor.

ci-doctor v0.1.0

First public release.

11 rules covering CI cost, security, and maintenance defaults for GitHub Actions workflows.

Use as a CLI:

npx ci-doctor

Or as a GitHub Action with sticky PR comments:

- uses: depmedicdev-byte/ci-doctor@v0.1.0
  with:
    fail-on: error

Node 18+. MIT.