CI
GitHub Action
The recommended CI setup: a composite action that checks only the dependencies a PR adds or changes and fails with inline annotations on package.json.
The action wraps the CLI in its flagship configuration: changed-only mode against the PR's base branch, inline annotations enabled, the workflow token used for GitHub enrichment.
Usage
Create .github/workflows/rn-doctor.yml:
name: Dependency health
on:
pull_request:
permissions:
contents: read
jobs:
rn-doctor:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v7
with:
fetch-depth: 0 # required for changed-only (merge-base diff)
- uses: AmrithVengalath/react-native-doctor-ci/[email protected]
with:
changed-only: "true"
base: origin/${{ github.base_ref }}A PR that adds or upgrades a dependency failing your policy gets a red check and an annotation on
the offending package.json line in the Files changed tab.
Inputs
| Input | Default | Description |
|---|---|---|
version | latest | npm version or dist-tag of the CLI to run. Pin for reproducible CI. |
policy | (empty) | Policy file path. Empty auto-detects .rn-doctor.yml. |
changed-only | "false" | Only check deps added/changed vs base. Needs fetch-depth: 0. |
base | (empty) | Base ref for changed-only. Empty means origin/main. |
workspaces | "false" | Also check every workspace package.json. |
annotations | "true" | Inline GitHub annotations. |
token | the workflow token | Used to read public repo metadata (archived, last push). |
working-directory | . | Directory containing the package.json to check. |
node-version | 22 | Node to set up; the CLI requires >= 20. |
Notes
changed-onlycomputes the diff against the merge-base of the PR branch andbase— the same commit range as GitHub's three-dot compare. That is whyfetch-depth: 0is required; a shallow checkout has no merge-base, and the run fails with a message saying exactly that.- The default
GITHUB_TOKENis enough; it only reads public repository metadata. Without any token, GitHub-backed fields degrade tounknownwith a warning — rate limits never fail a run. - The exit code passes through unchanged, so branch protection sees
1(policy errors) as a failed check and2(tool failure) as a broken run worth investigating.
The repository's example/
directory has this workflow and a fully commented policy file ready to copy.