Skip to content

CI

GitHub Action

The recommended CI setup: a composite action that checks only the dependencies a PR adds or changes and fails with inline annotations on package.json.

The action wraps the CLI in its flagship configuration: changed-only mode against the PR's base branch, inline annotations enabled, the workflow token used for GitHub enrichment.

Usage

Create .github/workflows/rn-doctor.yml:

name: Dependency health
 
on:
  pull_request:
 
permissions:
  contents: read
 
jobs:
  rn-doctor:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v7
        with:
          fetch-depth: 0 # required for changed-only (merge-base diff)
 
      - uses: AmrithVengalath/react-native-doctor-ci/[email protected]
        with:
          changed-only: "true"
          base: origin/${{ github.base_ref }}

A PR that adds or upgrades a dependency failing your policy gets a red check and an annotation on the offending package.json line in the Files changed tab.

Inputs

InputDefaultDescription
versionlatestnpm version or dist-tag of the CLI to run. Pin for reproducible CI.
policy(empty)Policy file path. Empty auto-detects .rn-doctor.yml.
changed-only"false"Only check deps added/changed vs base. Needs fetch-depth: 0.
base(empty)Base ref for changed-only. Empty means origin/main.
workspaces"false"Also check every workspace package.json.
annotations"true"Inline GitHub annotations.
tokenthe workflow tokenUsed to read public repo metadata (archived, last push).
working-directory.Directory containing the package.json to check.
node-version22Node to set up; the CLI requires >= 20.

Notes

  • changed-only computes the diff against the merge-base of the PR branch and base — the same commit range as GitHub's three-dot compare. That is why fetch-depth: 0 is required; a shallow checkout has no merge-base, and the run fails with a message saying exactly that.
  • The default GITHUB_TOKEN is enough; it only reads public repository metadata. Without any token, GitHub-backed fields degrade to unknown with a warning — rate limits never fail a run.
  • The exit code passes through unchanged, so branch protection sees 1 (policy errors) as a failed check and 2 (tool failure) as a broken run worth investigating.

The repository's example/ directory has this workflow and a fully commented policy file ready to copy.