Keep your CI pipelines fast, cheap, secure, and reliable — and fix them with a PR.
Project description
ciwright
Keep your CI pipelines fast, cheap, secure, and reliable — and fix them with a PR.
A "wright" builds and keeps things in good repair. Pipewright reads a repo's
GitHub Actions setup, scores it across four areas, and proposes each fix as a
pull request you approve. It never edits your pipeline in place: every change
lands on a new branch, and main is never touched.
This is v1.2 (Python-first).
Install
# once published:
uvx ciwright analyze # or: pipx run ciwright analyze
# from source:
pip install -e ".[dev]"
The CLI is ciwright, with a short pw alias.
Use
ciwright detect # what does ciwright see in this repo?
ciwright score # the CI health score, per category
ciwright analyze # the score + tier-relevant findings (read-only)
ciwright usage # real run-history stats + rough savings estimates
ciwright fix # preview the exact YAML changes as a diff
ciwright fix --apply # open the changes as a pull request (new branch, never main)
usage reads run history from the GitHub CLI (gh) or a JSON file:
gh api repos/OWNER/NAME/actions/runs > runs.json
ciwright usage --from-file runs.json
The health score
Lighthouse-style, 0–100 per category, scored only over the checks that matter at your pipeline's tier:
CI health 56/100
speed ████████░░ 75 3/4 ok
cost ░░░░░░░░░░ 0 0/2 ok
security █████░░░░░ 50 1/2 ok
reliability ██████████ 100 1/1 ok
It meets your pipeline where it is
Pipewright sorts your pipeline into a tier from the YAML alone, and only shows checks relevant to that tier — so a tiny workflow isn't nagged about (or graded on) monorepo machinery.
- Starter — one workflow, one job. The safe basics only.
- Growing — several jobs, a matrix, a real test suite. Adds parallelism, job timeouts, double-run dedupe, and the security checks.
- Scale — monorepo, Docker, many jobs. Adds test splitting and Docker caching.
What it checks (Python edition)
| Check | Area | Tier |
|---|---|---|
| Cache dependencies | speed | starter |
| Cancel superseded runs | speed | starter |
| Skip docs-only changes | speed | starter |
| Replace deprecated actions/runners | reliability | starter |
| Set job timeouts | cost | growing |
| Avoid double CI runs | cost | growing |
| Run tests in parallel | speed | growing |
| Pin actions to a SHA | security | growing |
| Limit GITHUB_TOKEN scope | security | growing |
| Split tests across machines | speed | scale |
| Cache Docker layers | speed | scale |
For deep GitHub Actions security auditing, pair ciwright with zizmor — it's the specialist there. Pipewright's lane is the unified score plus one-command autofix PRs for the speed and cost wins.
What it deliberately will not do
- It will never edit your pipeline silently.
fix --applyputs changes on a new branch and opens a pull request you read and approve. - Only safe changes are auto-applied — caching, path filters, concurrency. Everything else, including all security and structural changes, is advisory.
usageseparates measured facts from savings estimates, and keeps the estimates clearly hedged. No single confident-but-wrong "saves N minutes".
Publishing
python -m build produces the sdist + wheel; both pass twine check. The
included .github/workflows/release.yml publishes to PyPI via Trusted
Publishing (OIDC — no API token) when you publish a GitHub release. Before the
first publish: create the project on PyPI, add a trusted publisher for this
repo + a pypi environment, and pin the workflow's actions to SHAs.
Roadmap
- v0.1–v0.3 — detect, analyze, preview, and PR-based apply
- v1.0 — rebrand, maturity tiers, four-area checks
- v1.1 — security & reliability checks + the health score
- v1.2 — usage stats + savings estimates; packaging & release workflow
- later — Node + pnpm, then GitLab CI
Develop
pip install -e ".[dev]"
pytest # 62 tests
ruff check .
License
MIT — see LICENSE.
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file ciwright-1.2.0.tar.gz.
File metadata
- Download URL: ciwright-1.2.0.tar.gz
- Upload date:
- Size: 27.8 kB
- Tags: Source
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.13
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
1edcde560adf917ba90a2686c10a42eb186bd18007b08e6fb3553e1cd3d68472
|
|
| MD5 |
b4c4d1ab1916d44576b1c78c6a86eb9f
|
|
| BLAKE2b-256 |
33e48f2fa746a4c71ac7e6da1d231d87d277590a90f3179492345a7c2d9df9e5
|
Provenance
The following attestation bundles were made for ciwright-1.2.0.tar.gz:
Publisher:
release.yml on iamfouzan/ciwright
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
ciwright-1.2.0.tar.gz -
Subject digest:
1edcde560adf917ba90a2686c10a42eb186bd18007b08e6fb3553e1cd3d68472 - Sigstore transparency entry: 2019310857
- Sigstore integration time:
-
Permalink:
iamfouzan/ciwright@704ac91ae02c3757925519c0d4835256fb974661 -
Branch / Tag:
refs/tags/v1.2.0 - Owner: https://github.com/iamfouzan
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
release.yml@704ac91ae02c3757925519c0d4835256fb974661 -
Trigger Event:
release
-
Statement type:
File details
Details for the file ciwright-1.2.0-py3-none-any.whl.
File metadata
- Download URL: ciwright-1.2.0-py3-none-any.whl
- Upload date:
- Size: 26.6 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.13
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
1a99406eca54ede671237e40229624eff8864a8ab505e38084a684f1d1a9b833
|
|
| MD5 |
0b1a7f854a5e020cc8c2314dff05197e
|
|
| BLAKE2b-256 |
6e0488c4ccb1be52356bd6a91d4bc6746552efe6822f4dbc088a70f2dcb61fd0
|
Provenance
The following attestation bundles were made for ciwright-1.2.0-py3-none-any.whl:
Publisher:
release.yml on iamfouzan/ciwright
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
ciwright-1.2.0-py3-none-any.whl -
Subject digest:
1a99406eca54ede671237e40229624eff8864a8ab505e38084a684f1d1a9b833 - Sigstore transparency entry: 2019311008
- Sigstore integration time:
-
Permalink:
iamfouzan/ciwright@704ac91ae02c3757925519c0d4835256fb974661 -
Branch / Tag:
refs/tags/v1.2.0 - Owner: https://github.com/iamfouzan
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
release.yml@704ac91ae02c3757925519c0d4835256fb974661 -
Trigger Event:
release
-
Statement type: