analyze-ci-config

CI Configuration Analyzer

Analyzes CI/CD configurations for issues, optimizations, and best practices.

Analysis Categories

1. Structure Analysis

┌─────────────────────────────────────────────────────────────────┐
│                    CI CONFIG ANALYSIS                           │
├─────────────────────────────────────────────────────────────────┤
│                                                                 │
│  ✓ Stages defined: install → lint → test → build → deploy      │
│  ✓ Jobs properly ordered                                        │
│  ✗ Missing concurrency control                                  │
│  ✗ No timeout configuration                                     │
│                                                                 │
└─────────────────────────────────────────────────────────────────┘

2. Caching Analysis

Issue	Severity	Location	Recommendation
No Composer cache	🟠 Major	`lint` job	Add `actions/cache` for `~/.composer/cache`
Invalid cache key	🟡 Minor	Line 23	Use `hashFiles('composer.lock')`
Missing vendor cache	🟠 Major	All jobs	Share vendor between jobs with artifacts

3. Security Analysis

Issue	Severity	Location	Risk
`pull_request_target` misuse	🔴 Critical	Line 5	Code injection from forks
Secrets in logs	🔴 Critical	Line 45	`echo ${{ secrets.API_KEY }}` exposed
Outdated actions	🟠 Major	Lines 12, 18	Using `@v1` instead of `@v4`
No permissions defined	🟡 Minor	-	Uses default (write-all)

GitHub Actions Analysis

Checklist

## GitHub Actions Analysis Report

### Configuration: `.github/workflows/ci.yml`

#### Structure ✓
- [x] Valid YAML syntax
- [x] Proper job dependencies (needs)
- [ ] Concurrency configuration
- [ ] Timeout defined for jobs
- [x] Workflow triggers appropriate

#### Caching ⚠️
- [ ] Composer dependencies cached
- [ ] Node modules cached (if applicable)
- [x] Docker layer caching
- [ ] Cache keys use file hashes

#### Security 🔴
- [ ] Permissions explicitly defined
- [ ] No secrets echoed
- [x] Actions pinned to SHA
- [ ] pull_request_target safe usage

#### Performance ⚠️
- [ ] Jobs run in parallel where possible
- [x] Matrix strategy for PHP versions
- [ ] Fail-fast disabled for matrix
- [ ] Artifacts shared between jobs

#### Best Practices ✓
- [x] Uses specific action versions
- [x] Environment variables centralized
- [ ] Reusable workflows
- [x] Clear job names

Common Issues

1. Missing Concurrency

# ❌ BAD: No concurrency control
name: CI
on: [push, pull_request]

# ✅ GOOD: Cancel redundant runs
name: CI
on: [push, pull_request]

concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true

2. Inefficient Caching

# ❌ BAD: Cache key doesn't include lock file
- uses: actions/cache@v4
  with:
    path: vendor
    key: vendor-${{ github.sha }}

# ✅ GOOD: Cache key based on lock file
- uses: actions/cache@v4
  with:
    path: |
      ~/.composer/cache
      vendor
    key: composer-${{ hashFiles('composer.lock') }}
    restore-keys: composer-

3. Security Issues

# ❌ BAD: Dangerous with forks
on:
  pull_request_target:
    types: [opened]

jobs:
  build:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
        with:
          ref: ${{ github.event.pull_request.head.sha }}  # Runs untrusted code

# ✅ GOOD: Separate trusted/untrusted
on:
  pull_request:  # Safe: runs in context of base

GitLab CI Analysis

Checklist

## GitLab CI Analysis Report

### Configuration: `.gitlab-ci.yml`

#### Structure ✓
- [x] Valid YAML syntax
- [x] Stages defined
- [x] Jobs assigned to stages
- [ ] Global variables defined
- [x] Default image set

#### Caching ⚠️
- [ ] Cache key uses files hash
- [ ] Cache policy appropriate (pull/push)
- [x] Cache paths correct
- [ ] Artifacts used for job sharing

#### Security ⚠️
- [x] Secrets in CI/CD variables (not code)
- [ ] Protected branches configured
- [ ] No sensitive data in artifacts
- [x] Image from trusted registry

#### Performance ⚠️
- [ ] Jobs run in parallel
- [x] Needs keyword for dependencies
- [ ] Rules/only properly configured
- [ ] DAG mode enabled

#### Best Practices ✓
- [x] Uses extends for reuse
- [x] Clear job names
- [ ] Include for modular config
- [x] Appropriate timeouts

Common Issues

1. Cache Key Without Hash

# ❌ BAD: Cache never invalidates properly
cache:
  key: composer-cache
  paths:
    - vendor/

# ✅ GOOD: Cache invalidates on lock change
cache:
  key:
    files:
      - composer.lock
  paths:
    - vendor/

2. Missing Needs

# ❌ BAD: Sequential stages, no parallelism
stages:
  - lint
  - test

phpstan:
  stage: lint
  script: vendor/bin/phpstan

phpunit:
  stage: test  # Waits for ALL lint jobs

# ✅ GOOD: DAG with needs
phpunit:
  stage: test
  needs: [composer-install]  # Only waits for install

Analysis Output Format

# CI/CD Configuration Analysis

**File:** `.github/workflows/ci.yml`
**Platform:** GitHub Actions
**Date:** 2024-01-15

## Summary

| Category | Status | Issues |
|----------|--------|--------|
| Structure | ✅ Good | 0 |
| Caching | ⚠️ Warning | 3 |
| Security | 🔴 Critical | 2 |
| Performance | ⚠️ Warning | 4 |
| Best Practices | ✅ Good | 1 |

**Total Issues:** 10 (2 Critical, 4 Major, 4 Minor)

## Critical Issues

### SEC-001: Exposed Secret in Logs
**Location:** Line 45
**Code:**
```yaml
- run: echo "Deploying with ${{ secrets.DEPLOY_KEY }}"

Risk: Secret visible in workflow logs Fix:

- run: echo "Deploying..."
  env:
    DEPLOY_KEY: ${{ secrets.DEPLOY_KEY }}

SEC-002: pull_request_target with Checkout

Location: Lines 3, 15 Risk: Arbitrary code execution from forks Fix: Use pull_request event instead, or don't checkout PR code

Major Issues

CACHE-001: Missing Composer Cache

Location: lint job Impact: +2-3 minutes per run Fix:

- uses: actions/cache@v4
  with:
    path: ~/.composer/cache
    key: composer-${{ hashFiles('composer.lock') }}

PERF-001: Sequential Jobs Could Run Parallel

Location: test-unit, test-integration Impact: +5 minutes total Fix: Remove needs dependency between test jobs

Minor Issues

BP-001: Using Outdated Action Version

Location: Line 12 Current: actions/checkout@v2 Recommended: actions/checkout@v4

Recommendations

Immediate: Fix security issues SEC-001 and SEC-002
Short-term: Implement caching improvements
Long-term: Restructure for parallel execution

Optimized Configuration

See Appendix A for complete optimized configuration.


## Analysis Instructions

1. **Parse configuration:**
   - Validate YAML syntax
   - Identify platform (GitHub/GitLab)
   - Extract jobs, stages, triggers

2. **Check structure:**
   - Proper job ordering
   - Dependencies (needs/stages)
   - Concurrency settings
   - Timeouts

3. **Analyze caching:**
   - Cache keys use file hashes
   - Appropriate cache paths
   - Cache policy (pull/push)
   - Artifacts for job sharing

4. **Security review:**
   - Secret exposure
   - Permissions
   - Unsafe triggers
   - Action versions

5. **Performance audit:**
   - Parallel execution opportunities
   - Unnecessary sequential jobs
   - Matrix optimization
   - Fail-fast settings

## Usage

Provide:
- Path to CI configuration file(s)
- Specific areas to focus on (optional)

The analyzer will:
1. Parse and validate configuration
2. Check against best practices
3. Identify issues by severity
4. Provide specific fixes
5. Generate optimized configuration

CI Configuration Analyzer

Analyzes CI/CD configurations for issues, optimizations, and best practices.

Analysis Categories

1. Structure Analysis

┌─────────────────────────────────────────────────────────────────┐
│                    CI CONFIG ANALYSIS                           │
├─────────────────────────────────────────────────────────────────┤
│                                                                 │
│  ✓ Stages defined: install → lint → test → build → deploy      │
│  ✓ Jobs properly ordered                                        │
│  ✗ Missing concurrency control                                  │
│  ✗ No timeout configuration                                     │
│                                                                 │
└─────────────────────────────────────────────────────────────────┘

2. Caching Analysis

Issue	Severity	Location	Recommendation
No Composer cache	🟠 Major	`lint` job	Add `actions/cache` for `~/.composer/cache`
Invalid cache key	🟡 Minor	Line 23	Use `hashFiles('composer.lock')`
Missing vendor cache	🟠 Major	All jobs	Share vendor between jobs with artifacts

3. Security Analysis

Issue	Severity	Location	Risk
`pull_request_target` misuse	🔴 Critical	Line 5	Code injection from forks
Secrets in logs	🔴 Critical	Line 45	`echo ${{ secrets.API_KEY }}` exposed
Outdated actions	🟠 Major	Lines 12, 18	Using `@v1` instead of `@v4`
No permissions defined	🟡 Minor	-	Uses default (write-all)

GitHub Actions Analysis

Checklist

## GitHub Actions Analysis Report

### Configuration: `.github/workflows/ci.yml`

#### Structure ✓
- [x] Valid YAML syntax
- [x] Proper job dependencies (needs)
- [ ] Concurrency configuration
- [ ] Timeout defined for jobs
- [x] Workflow triggers appropriate

#### Caching ⚠️
- [ ] Composer dependencies cached
- [ ] Node modules cached (if applicable)
- [x] Docker layer caching
- [ ] Cache keys use file hashes

#### Security 🔴
- [ ] Permissions explicitly defined
- [ ] No secrets echoed
- [x] Actions pinned to SHA
- [ ] pull_request_target safe usage

#### Performance ⚠️
- [ ] Jobs run in parallel where possible
- [x] Matrix strategy for PHP versions
- [ ] Fail-fast disabled for matrix
- [ ] Artifacts shared between jobs

#### Best Practices ✓
- [x] Uses specific action versions
- [x] Environment variables centralized
- [ ] Reusable workflows
- [x] Clear job names

Common Issues

1. Missing Concurrency

# ❌ BAD: No concurrency control
name: CI
on: [push, pull_request]

# ✅ GOOD: Cancel redundant runs
name: CI
on: [push, pull_request]

concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true

2. Inefficient Caching

# ❌ BAD: Cache key doesn't include lock file
- uses: actions/cache@v4
  with:
    path: vendor
    key: vendor-${{ github.sha }}

# ✅ GOOD: Cache key based on lock file
- uses: actions/cache@v4
  with:
    path: |
      ~/.composer/cache
      vendor
    key: composer-${{ hashFiles('composer.lock') }}
    restore-keys: composer-

3. Security Issues

# ❌ BAD: Dangerous with forks
on:
  pull_request_target:
    types: [opened]

jobs:
  build:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
        with:
          ref: ${{ github.event.pull_request.head.sha }}  # Runs untrusted code

# ✅ GOOD: Separate trusted/untrusted
on:
  pull_request:  # Safe: runs in context of base

GitLab CI Analysis

Checklist

## GitLab CI Analysis Report

### Configuration: `.gitlab-ci.yml`

#### Structure ✓
- [x] Valid YAML syntax
- [x] Stages defined
- [x] Jobs assigned to stages
- [ ] Global variables defined
- [x] Default image set

#### Caching ⚠️
- [ ] Cache key uses files hash
- [ ] Cache policy appropriate (pull/push)
- [x] Cache paths correct
- [ ] Artifacts used for job sharing

#### Security ⚠️
- [x] Secrets in CI/CD variables (not code)
- [ ] Protected branches configured
- [ ] No sensitive data in artifacts
- [x] Image from trusted registry

#### Performance ⚠️
- [ ] Jobs run in parallel
- [x] Needs keyword for dependencies
- [ ] Rules/only properly configured
- [ ] DAG mode enabled

#### Best Practices ✓
- [x] Uses extends for reuse
- [x] Clear job names
- [ ] Include for modular config
- [x] Appropriate timeouts

Common Issues

1. Cache Key Without Hash

# ❌ BAD: Cache never invalidates properly
cache:
  key: composer-cache
  paths:
    - vendor/

# ✅ GOOD: Cache invalidates on lock change
cache:
  key:
    files:
      - composer.lock
  paths:
    - vendor/

2. Missing Needs

# ❌ BAD: Sequential stages, no parallelism
stages:
  - lint
  - test

phpstan:
  stage: lint
  script: vendor/bin/phpstan

phpunit:
  stage: test  # Waits for ALL lint jobs

# ✅ GOOD: DAG with needs
phpunit:
  stage: test
  needs: [composer-install]  # Only waits for install

Analysis Output Format

# CI/CD Configuration Analysis

**File:** `.github/workflows/ci.yml`
**Platform:** GitHub Actions
**Date:** 2024-01-15

## Summary

| Category | Status | Issues |
|----------|--------|--------|
| Structure | ✅ Good | 0 |
| Caching | ⚠️ Warning | 3 |
| Security | 🔴 Critical | 2 |
| Performance | ⚠️ Warning | 4 |
| Best Practices | ✅ Good | 1 |

**Total Issues:** 10 (2 Critical, 4 Major, 4 Minor)

## Critical Issues

### SEC-001: Exposed Secret in Logs
**Location:** Line 45
**Code:**
```yaml
- run: echo "Deploying with ${{ secrets.DEPLOY_KEY }}"

Risk: Secret visible in workflow logs Fix:

- run: echo "Deploying..."
  env:
    DEPLOY_KEY: ${{ secrets.DEPLOY_KEY }}

SEC-002: pull_request_target with Checkout

Location: Lines 3, 15 Risk: Arbitrary code execution from forks Fix: Use pull_request event instead, or don't checkout PR code

Major Issues

CACHE-001: Missing Composer Cache

Location: lint job Impact: +2-3 minutes per run Fix:

- uses: actions/cache@v4
  with:
    path: ~/.composer/cache
    key: composer-${{ hashFiles('composer.lock') }}

PERF-001: Sequential Jobs Could Run Parallel

Location: test-unit, test-integration Impact: +5 minutes total Fix: Remove needs dependency between test jobs

Minor Issues

BP-001: Using Outdated Action Version

Location: Line 12 Current: actions/checkout@v2 Recommended: actions/checkout@v4

Recommendations

Immediate: Fix security issues SEC-001 and SEC-002
Short-term: Implement caching improvements
Long-term: Restructure for parallel execution

Optimized Configuration

See Appendix A for complete optimized configuration.


## Analysis Instructions

1. **Parse configuration:**
   - Validate YAML syntax
   - Identify platform (GitHub/GitLab)
   - Extract jobs, stages, triggers

2. **Check structure:**
   - Proper job ordering
   - Dependencies (needs/stages)
   - Concurrency settings
   - Timeouts

3. **Analyze caching:**
   - Cache keys use file hashes
   - Appropriate cache paths
   - Cache policy (pull/push)
   - Artifacts for job sharing

4. **Security review:**
   - Secret exposure
   - Permissions
   - Unsafe triggers
   - Action versions

5. **Performance audit:**
   - Parallel execution opportunities
   - Unnecessary sequential jobs
   - Matrix optimization
   - Fail-fast settings

## Usage

Provide:
- Path to CI configuration file(s)
- Specific areas to focus on (optional)

The analyzer will:
1. Parse and validate configuration
2. Check against best practices
3. Identify issues by severity
4. Provide specific fixes
5. Generate optimized configuration

analyze-ci-config

Popularity

Invocation

Context Preview

SKILL.md

Similar Skills

Help us improve

Help us improve

Find plugins for your project

analyze-ci-config

Popularity

Invocation

Context Preview

SKILL.md

CI Configuration Analyzer

Analysis Categories

1. Structure Analysis

2. Caching Analysis

3. Security Analysis

GitHub Actions Analysis

Checklist

Common Issues

1. Missing Concurrency

2. Inefficient Caching

3. Security Issues

GitLab CI Analysis

Checklist

Common Issues

1. Cache Key Without Hash

2. Missing Needs

Analysis Output Format

SEC-002: pull_request_target with Checkout

Major Issues

CACHE-001: Missing Composer Cache

PERF-001: Sequential Jobs Could Run Parallel

Minor Issues

BP-001: Using Outdated Action Version

Recommendations

Optimized Configuration

Similar Skills

Help us improve

CI Configuration Analyzer

Analysis Categories

1. Structure Analysis

2. Caching Analysis

3. Security Analysis

GitHub Actions Analysis

Checklist

Common Issues

1. Missing Concurrency

2. Inefficient Caching

3. Security Issues

GitLab CI Analysis

Checklist

Common Issues

1. Cache Key Without Hash

2. Missing Needs

Analysis Output Format

SEC-002: pull_request_target with Checkout

Major Issues

CACHE-001: Missing Composer Cache

PERF-001: Sequential Jobs Could Run Parallel

Minor Issues

BP-001: Using Outdated Action Version

Recommendations

Optimized Configuration