DEV Community

depmedicdev-byte
depmedicdev-byte

Posted on • Originally published at depmedicdev-byte.github.io

ci-doctor vs actionlint: when to use which

#githubactions #devops #ci #opensource

I maintain ci-doctor. The most common question I get is "isn't this what actionlint does?"

Short answer: no, and you should run both. Here's why.

tl;dr

Run both. We do, on every depmedic repo. actionlint for correctness, ci-doctor for cost and reliability. They take roughly 6 ms each on a typical repo.

Where actionlint wins

  • Shell script linting via shellcheck. Catches [[ $foo == "bar" ]] instead of [[ "$foo" == "bar" ]], missing quotes, unsafe glob expansion, the whole shellcheck rule library inside run: blocks.
  • Expression / context typing. Knows github.event.repository.private is a boolean and complains if you compare it to a string.
  • Action input validation. Reads each action's action.yml and verifies you're passing the right inputs.
  • Matrix matrix matrix. Rich validation for strategy.matrix.include / exclude patterns.
  • Pure Go binary, very fast, very mature, written by rhysd who knows GitHub Actions cold.

Where ci-doctor wins

  • Cost rules actionlint does not have. missing-concurrency, missing-cache, expensive-runner, cron-storm, wide-paths. These show up in the bill, not in the build log.
  • Reliability rules actionlint does not have. missing-timeout-minutes, flaky-retries, legacy-actions-version, service-no-healthcheck.
  • Auto-fix mode. npx ci-doctor --fix rewrites four safe categories in place.
  • $-denominated cost via gha-budget. Pairs cleanly.
  • SARIF + sticky PR comment via ci-doctor-action.
  • Same engine ports to GitLab, Bitbucket, Azure Pipelines, CircleCI with CI-native rules. One mental model across stacks.

Run them side by side 

name: ci-audit
on: pull_request
permissions:
  contents: read
  security-events: write
jobs:
  actionlint:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: reviewdog/action-actionlint@v1
  ci-doctor:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: depmedicdev-byte/ci-doctor-action@v1
Enter fullscreen mode Exit fullscreen mode

12 seconds total. Reports go to different categories (actionlint inline review comments, ci-doctor sticky comment + Code Scanning). They don't conflict.

Honest comparison styled

Full table at /compare/ci-doctor-vs-actionlint.html. Other comparisons in the family:

Why I bother writing these

Because every "X vs Y" comparison written by one of the maintainers is suspicious by default, and I'd rather you have the honest version than discover the trade-offs after committing one to your CI pipeline. If anything here is wrong or outdated, open an issue and I'll fix it.

We do not pay for placement and we do not accept paid placement.

Top comments (0)