Skip to main content

Keep your CI pipelines fast, cheap, secure, and reliable — and fix them with a PR.

Project description

ciwright

Keep your CI pipelines fast, cheap, secure, and reliable — and fix them with a PR.

A "wright" builds and keeps things in good repair. Pipewright reads a repo's GitHub Actions setup, scores it across four areas, and proposes each fix as a pull request you approve. It never edits your pipeline in place: every change lands on a new branch, and main is never touched.

This is v1.2 (Python-first).

Install

# once published:
uvx ciwright analyze        # or: pipx run ciwright analyze

# from source:
pip install -e ".[dev]"

The CLI is ciwright, with a short pw alias.

Use

ciwright detect        # what does ciwright see in this repo?
ciwright score         # the CI health score, per category
ciwright analyze       # the score + tier-relevant findings (read-only)
ciwright usage         # real run-history stats + rough savings estimates
ciwright fix           # preview the exact YAML changes as a diff
ciwright fix --apply   # open the changes as a pull request (new branch, never main)

usage reads run history from the GitHub CLI (gh) or a JSON file:

gh api repos/OWNER/NAME/actions/runs > runs.json
ciwright usage --from-file runs.json

The health score

Lighthouse-style, 0–100 per category, scored only over the checks that matter at your pipeline's tier:

CI health  56/100
  speed       ████████░░   75  3/4 ok
  cost        ░░░░░░░░░░    0  0/2 ok
  security    █████░░░░░   50  1/2 ok
  reliability ██████████  100  1/1 ok

It meets your pipeline where it is

Pipewright sorts your pipeline into a tier from the YAML alone, and only shows checks relevant to that tier — so a tiny workflow isn't nagged about (or graded on) monorepo machinery.

  • Starter — one workflow, one job. The safe basics only.
  • Growing — several jobs, a matrix, a real test suite. Adds parallelism, job timeouts, double-run dedupe, and the security checks.
  • Scale — monorepo, Docker, many jobs. Adds test splitting and Docker caching.

What it checks (Python edition)

Check Area Tier
Cache dependencies speed starter
Cancel superseded runs speed starter
Skip docs-only changes speed starter
Replace deprecated actions/runners reliability starter
Set job timeouts cost growing
Avoid double CI runs cost growing
Run tests in parallel speed growing
Pin actions to a SHA security growing
Limit GITHUB_TOKEN scope security growing
Split tests across machines speed scale
Cache Docker layers speed scale

For deep GitHub Actions security auditing, pair ciwright with zizmor — it's the specialist there. Pipewright's lane is the unified score plus one-command autofix PRs for the speed and cost wins.

What it deliberately will not do

  • It will never edit your pipeline silently. fix --apply puts changes on a new branch and opens a pull request you read and approve.
  • Only safe changes are auto-applied — caching, path filters, concurrency. Everything else, including all security and structural changes, is advisory.
  • usage separates measured facts from savings estimates, and keeps the estimates clearly hedged. No single confident-but-wrong "saves N minutes".

Publishing

python -m build produces the sdist + wheel; both pass twine check. The included .github/workflows/release.yml publishes to PyPI via Trusted Publishing (OIDC — no API token) when you publish a GitHub release. Before the first publish: create the project on PyPI, add a trusted publisher for this repo + a pypi environment, and pin the workflow's actions to SHAs.

Roadmap

  • v0.1–v0.3 — detect, analyze, preview, and PR-based apply
  • v1.0 — rebrand, maturity tiers, four-area checks
  • v1.1 — security & reliability checks + the health score
  • v1.2 — usage stats + savings estimates; packaging & release workflow
  • later — Node + pnpm, then GitLab CI

Develop

pip install -e ".[dev]"
pytest          # 62 tests
ruff check .

License

MIT — see LICENSE.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

ciwright-1.2.0.tar.gz (27.8 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

ciwright-1.2.0-py3-none-any.whl (26.6 kB view details)

Uploaded Python 3

File details

Details for the file ciwright-1.2.0.tar.gz.

File metadata

  • Download URL: ciwright-1.2.0.tar.gz
  • Upload date:
  • Size: 27.8 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.13

File hashes

Hashes for ciwright-1.2.0.tar.gz
Algorithm Hash digest
SHA256 1edcde560adf917ba90a2686c10a42eb186bd18007b08e6fb3553e1cd3d68472
MD5 b4c4d1ab1916d44576b1c78c6a86eb9f
BLAKE2b-256 33e48f2fa746a4c71ac7e6da1d231d87d277590a90f3179492345a7c2d9df9e5

See more details on using hashes here.

Provenance

The following attestation bundles were made for ciwright-1.2.0.tar.gz:

Publisher: release.yml on iamfouzan/ciwright

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file ciwright-1.2.0-py3-none-any.whl.

File metadata

  • Download URL: ciwright-1.2.0-py3-none-any.whl
  • Upload date:
  • Size: 26.6 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.13

File hashes

Hashes for ciwright-1.2.0-py3-none-any.whl
Algorithm Hash digest
SHA256 1a99406eca54ede671237e40229624eff8864a8ab505e38084a684f1d1a9b833
MD5 0b1a7f854a5e020cc8c2314dff05197e
BLAKE2b-256 6e0488c4ccb1be52356bd6a91d4bc6746552efe6822f4dbc088a70f2dcb61fd0

See more details on using hashes here.

Provenance

The following attestation bundles were made for ciwright-1.2.0-py3-none-any.whl:

Publisher: release.yml on iamfouzan/ciwright

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page