Governed AI-ops for self-managed GitLab + Gitea CI/CD: pipelines, jobs, runners, artifacts, repo hygiene, flagship RCA analyses (pipeline failures, runner health, storage bloat, stale work), and governed writes (retry/cancel, pause/resume, artifact deletion, branch protection) with a built-in governance harness (audit, budget, undo, risk tiers)
Project description
CICD AIops
Governed AI-ops for self-managed GitLab and self-hosted Gitea.
cicd-aiops is for the team running its own CI/CD forge — a GitLab instance
or a Gitea server on your hardware, in your lab, behind your VPN — who want an
AI agent that can answer "why did the pipeline fail?", "which runner is
wedged?", "where did 40 GB of artifact storage go?" and "what work went
stale?" and then act (retry, cancel, pause, delete, protect) only through
an audited, budgeted, risk-tiered, undo-recorded governance harness. It is not
a SaaS integration: it speaks the GitLab REST API v4 and the Gitea API v1
directly against your server, with credentials encrypted at rest.
Preview / mock-only: modelled from each project's public API docs and exercised against mocked HTTP responses; not yet validated against live servers.
cicd-aiops doctoris the fastest live check.
Routing: Do NOT use this for Kubernetes deploy state — use k8s-aiops. This tool ends at the CI/CD server's API (pipelines, runners, artifacts, repo hygiene).
Quick start
uv tool install cicd-aiops # or: pip install cicd-aiops
cicd-aiops init # wizard: base URL + token (encrypted) + TLS verify
cicd-aiops doctor # connectivity + token-scope probe per target
cicd-aiops overview # version, identity, projects, runners at a glance
Then the interesting parts:
cicd-aiops rca pipelines dev/api # classify recent failed pipelines
cicd-aiops rca runners # offline/stale runners, tag saturation
cicd-aiops rca storage # artifact/repo bloat, reclaimable bytes
cicd-aiops rca stale dev/api # stale MRs/branches, protection gaps
cicd-aiops pipelines retry dev/api 42 --dry-run
cicd-aiops artifacts delete dev/api --older-than-days 30 --dry-run
Every write has --dry-run and a double confirmation, and executes through
the same governed path the MCP tools use — so CLI writes are audited too.
Support scope
| Surface | GitLab (REST v4, self-managed) | Gitea (API v1, self-hosted) |
|---|---|---|
| Server version + token identity | ✅ | ✅ |
| Projects + storage statistics | ✅ (statistics=true) |
✅ (repo size) |
| Pipelines / runs, jobs, trace tails | ✅ | ✅ (Actions runs/jobs/logs) |
| Runner fleet (list/detail) | ✅ | ❌ teaching error (no API v1 equivalent) |
| Merge/pull requests, branches, protection, releases | ✅ | ✅ |
| Artifact inventory | ✅ (via jobs) | ✅ (Actions artifacts) |
retry_pipeline / cancel_pipeline |
✅ | ❌ teaching error |
pause_runner / resume_runner |
✅ | ❌ teaching error |
delete_artifacts |
✅ | ❌ teaching error |
update_branch_protection |
✅ | ✅ |
Where a platform lacks a surface, the platform registry raises a teaching error naming the resources that are available — the agent learns instead of hitting a mystery 404. GitLab.com / Gitea Cloud SaaS accounts are out of scope by design: this tool targets self-managed instances.
Flagship analyses (the reason this tool exists)
pipeline_failure_rca— pulls recent failed pipelines with failed-job trace tails and classifies each failure: test-failure / dependency-network / runner-timeout / oom / script-error, with the matched evidence, a cause, and an action per pipeline.runner_health_rca— offline/stale/paused runners (contact-age threshold), jobs queued past a threshold, and per-tag saturation (queued jobs vs online runners).artifact_storage_bloat_analysis— projects ranked by repo + artifact bytes, expired-but-kept artifacts, and a reclaimable-bytes estimate that feeds straight intodelete_artifacts --dry-run.stale_work_audit— merge/pull requests idle past N days, branches with no commits for N days, and protection gaps (unprotected default branch, force-push allowed).
All four are transparent heuristics: thresholds are named parameters and every flag carries its numbers.
Governance (built in, always on)
Every MCP tool and every CLI write runs through the vendored harness in
cicd_aiops/governance/:
- Audit — every call (including denials and errors) lands in
~/.cicd-aiops/audit.dbwith params, status, risk level, and approver. - Budget — call/time budgets and a runaway breaker
(
CICD_MAX_TOOL_CALLS,CICD_MAX_TOOL_SECONDS,CICD_RUNAWAY_MAX). - Risk tiers, secure by default — reads are
low; mutating writes aremedium;delete_artifactsishigh. With norules.yaml, high-risk writes are denied unless a named approver is set (CICD_AUDIT_APPROVED_BY, plusCICD_AUDIT_RATIONALE).initseeds a starterrules.yamlwith that dual-control tier spelled out. - Undo — reversible writes record a replayable inverse in
~/.cicd-aiops/undo.db, built from the fetched before-state:pause_runner⇄resume_runner, andupdate_branch_protectionreplays the prior settings. Irreversible writes (retry_pipeline,cancel_pipeline,delete_artifacts) recordpriorState(status / bytes+count) instead. - Dry-run everywhere — every write takes
dry_run=True(MCP) /--dry-run(CLI) and previews without calling the server. - Sanitize — all server-returned text is folded through an injection-safe normaliser (bounded strings, capped depth) before an agent sees it; all path parameters are percent-encoded so an identifier can never rewrite a URL.
Secrets
Tokens live in ~/.cicd-aiops/secrets.enc — Fernet-encrypted, key derived
from a master password via scrypt. Never plaintext on disk. Set
CICD_AIOPS_MASTER_PASSWORD for non-interactive/MCP use, and manage with
cicd-aiops secret set|list|remove|migrate. TLS verification defaults ON
(the init wizard asks before turning it off for lab certs).
MCP server
26 governed tools (20 reads incl. the four flagship analyses, 6 writes).
{
"mcpServers": {
"cicd-aiops": {
"command": "uvx",
"args": ["--from", "cicd-aiops", "cicd-aiops-mcp"],
"env": {
"CICD_AIOPS_MASTER_PASSWORD": "your-master-password"
}
}
}
}
Env-block caveat: MCP clients launch the server with a minimal environment — your shell profile is not sourced. Anything the server needs (
CICD_AIOPS_MASTER_PASSWORD,CICD_AIOPS_HOME,CICD_AUDIT_APPROVED_BYfor high-risk writes) must be set in theenvblock above, not in~/.zshrc.
Alternatively: cicd-aiops mcp (same server, CLI entry point).
Configuration
~/.cicd-aiops/config.yaml (the wizard writes this):
targets:
- name: gl1
platform: gitlab # or: gitea
base_url: https://git.example.com
verify_ssl: true # default ON; set false only for lab certs
The token for each target is stored encrypted under the target's name.
Relocate all state (config, audit, undo, secrets) with CICD_AIOPS_HOME.
Development
uv sync
uv run pytest -q
uv run ruff check .
缺功能?
缺功能提 issue/PR 欢迎留言 — if a GitLab/Gitea surface you need is missing (runner administration on newer Gitea, per-job retry, scheduled pipelines, group-level rollups…), open an issue or PR at https://github.com/AIops-tools/CICD-AIops. The platform registry is designed so a new resource is one path-map entry, not a refactor.
License
MIT. GitLab is a trademark of GitLab Inc.; Gitea is a trademark of its project owners. This project is independent and not affiliated with either.
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file cicd_aiops-0.1.0.tar.gz.
File metadata
- Download URL: cicd_aiops-0.1.0.tar.gz
- Upload date:
- Size: 168.0 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: uv/0.10.0 {"installer":{"name":"uv","version":"0.10.0","subcommand":["publish"]},"python":null,"implementation":{"name":null,"version":null},"distro":{"name":"macOS","version":null,"id":null,"libc":null},"system":{"name":null,"release":null},"cpu":null,"openssl_version":null,"setuptools_version":null,"rustc_version":null,"ci":null}
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
a9dafea8d30b7b8e42b617e2d5765d2fb9ddacccee4fd6db2a884c7822340986
|
|
| MD5 |
97296c82d34d20653ac598dbad32ae07
|
|
| BLAKE2b-256 |
17cf115b810474fa3974c59ac27104b56111725a5ffb173f2f2f3d8c341fe08c
|
File details
Details for the file cicd_aiops-0.1.0-py3-none-any.whl.
File metadata
- Download URL: cicd_aiops-0.1.0-py3-none-any.whl
- Upload date:
- Size: 97.9 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: uv/0.10.0 {"installer":{"name":"uv","version":"0.10.0","subcommand":["publish"]},"python":null,"implementation":{"name":null,"version":null},"distro":{"name":"macOS","version":null,"id":null,"libc":null},"system":{"name":null,"release":null},"cpu":null,"openssl_version":null,"setuptools_version":null,"rustc_version":null,"ci":null}
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
6278a4b52cd34355887508ee60fecc82a2246619506a5cca9910c14c30b5066d
|
|
| MD5 |
6b6d81e47e1f92e2dff99a768b6b8a96
|
|
| BLAKE2b-256 |
2a7b56f7bc4198a09e74441d81b8792a78252c1011cb5677cbfde360b052d998
|