Failed CI → cause, evidence, fix, confidence.
A pipeline step that explains failures, checks pipeline health, audits config, and flags risky CI patterns. Summary output by default. PR comments optional.
This is what appears in your Actions summary panel or PR comment when CI fails.
DATABASE_URL — connection refused at test step.Error: connect ECONNREFUSED 127.0.0.1:5432 at step Run testsDATABASE_URL set via repo secretsa3d7f1DATABASE_URL to repository secrets and reference it in your workflow env: block.In summary mode (default) this appears in the Actions panel. Set BADGR_OUTPUT_MODE: pr-comment to post it to the PR instead.
Three lines. No tokens required for default summary output.
- name: Badgr Agent CI
if: failure()
uses: michaelmanly/badgr-agent@v1
with:
badgr_api_key: ${{ secrets.BADGR_API_KEY }}
# Diagnosis → Actions summary panel. No PR write token needed.
# Opt in to PR comments:
# env:
# BADGR_OUTPUT_MODE: pr-comment
# GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}Default permissions: contents: read actions: read. Add pull-requests: write only if using pr-comment mode.
Set BADGR_OUTPUT_MODE to choose where the diagnosis is delivered.
| Value | Where output goes | PR write token? |
|---|---|---|
summary (default) | CI summary panel — Actions, Azure, GitLab collapsible | No |
pr-comment | PR / MR comment thread (opt-in) | Yes |
console | stdout only | No |
both | PR comment + CI summary | Yes |
Opt in to PR comments
env:
BADGR_OUTPUT_MODE: pr-comment
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}Dry-run — inspect payload first
env:
BADGR_DRY_RUN: "1"
# Prints the redacted payload to console.
# No API call is made.Set BADGR_MODE to choose what Badgr analyses. Failure mode is the default. The other three are optional.
failuredefaulttrigger: if: failure()Diagnoses failed runs: likely cause, evidence, suggested fix, confidence, and responsible team.
Output: summary or PR comment
healthtrigger: if: always() or scheduledPipeline performance checks: slowest steps, duration regression, cache misses, flaky tests, retry signals.
Output: summary
audittrigger: on PR open or scheduledConfig improvements: missing caches, no timeouts, overbroad permissions, duplicate jobs, matrix waste.
Output: summary
securitytrigger: scheduled or push to mainRisky CI patterns: token exposure, curl | bash, secrets echoed, overbroad write permissions.
Output: summary or console — never PR comments
- name: Badgr Health
if: always()
uses: michaelmanly/badgr-agent@v1
with:
badgr_api_key: ${{ secrets.BADGR_API_KEY }}
env:
BADGR_MODE: health- name: Badgr Audit
uses: michaelmanly/badgr-agent@v1
with:
badgr_api_key: ${{ secrets.BADGR_API_KEY }}
env:
BADGR_MODE: auditEvery decision in the design was made to reduce token scope, prevent data leakage, and keep CI diagnostics auditable.
Logs are scanned for 12 secret patterns (JWTs, AWS keys, GitHub/GitLab PATs, Bearer tokens, DB connection strings) and stripped before any network call. The redaction count is printed every run.
The default output mode is summary — diagnosis goes to the Actions/pipeline summary panel. No pull-requests: write scope is needed unless you opt in to PR comments.
Set BADGR_OUTPUT_MODE: pr-comment and provide a token with pull-requests: write. Nothing posts to PR threads unless you ask it to.
Set BADGR_DRY_RUN=1 to see exactly what would be sent to the API — redacted payload printed to console, no API call made. Verify before enabling in production.
Security scan results always go to summary or console, regardless of BADGR_OUTPUT_MODE. Token exposure findings never appear in pull request threads.
Set BADGR_API_URL to route through your own proxy or self-hosted backend. Logs never leave your network. Same env var works across all five adapters.
Self-hosted — logs never leave your network
env:
BADGR_API_KEY: ${{ secrets.BADGR_API_KEY }}
BADGR_API_URL: https://badgr.internal.yourcompany.com/v1Add three lines to your workflow. Get cause, evidence, fix, and confidence on every failure.