RepoPilotOpen in app →

matteocrippa/awesome-swift

A collaborative list of awesome Swift libraries and resources. Feel free to contribute!

WAIT

Mixed signals — read the receipts

  • Last commit 3w ago
  • 5 active contributors
  • CC0-1.0 licensed
  • CI configured
  • Small team — 5 top contributors
  • Concentrated ownership — top contributor handles 54% of commits
  • No test directory detected

Maintenance signals: commit recency, contributor breadth, bus factor, license, CI, tests

Embed this verdict

[![RepoPilot: WAIT](https://repopilot.app/api/badge/matteocrippa/awesome-swift)](https://repopilot.app/r/matteocrippa/awesome-swift)

Paste into your README — the badge live-updates from the latest cached analysis.

Onboarding doc

Onboarding: matteocrippa/awesome-swift

Generated by RepoPilot · 2026-05-05 · Source

Verdict

WAIT — Mixed signals — read the receipts

  • Last commit 3w ago
  • 5 active contributors
  • CC0-1.0 licensed
  • CI configured
  • ⚠ Small team — 5 top contributors
  • ⚠ Concentrated ownership — top contributor handles 54% of commits
  • ⚠ No test directory detected

<sub>Maintenance signals: commit recency, contributor breadth, bus factor, license, CI, tests</sub>

TL;DR

awesome-swift is a curated, community-maintained catalog of Swift libraries and resources stored as structured data in contents.json, then auto-generated into README.md via a Ruby conversion script (.github/convert.rb). It solves the problem of Swift developers needing a single, categorized, up-to-date reference of 1099+ vetted libraries across 80+ categories like Animation, Data Management, Concurrency, and AR. Flat repo: contents.json is the authoritative data store for all library entries; .github/convert.rb reads it and generates README.md; .github/workflows/ runs CI to validate PRs (pr.yml) and trigger conversion on merge (merge.yml). The Node.js tool in .github/check-swift-version/ validates Swift version tags in submitted entries.

Who it's for

iOS/macOS/Swift developers who need to discover vetted third-party libraries without manually searching GitHub, and open-source Swift library authors who want their project discoverable by the community. Contributors are typically Swift developers submitting PRs to add or update entries in contents.json.

Maturity & risk

The repo tracks 1099 projects as of April 2026 and has an established CI pipeline via .github/workflows/pr.yml and merge.yml, plus automated PR validation via Dangerfile and a Node.js swift-version checker in .github/check-swift-version/index.js. It is actively maintained with a stable, repeatable contribution workflow — production-ready as a reference resource.

The single source of truth is contents.json, meaning a malformed entry or bad merge could silently corrupt the generated README.md. The project is effectively single-maintainer (matteocrippa), creating a bus-factor risk for reviewing the PR backlog. The Ruby toolchain (.ruby-version, convert.rb) adds a version-pinning dependency that could break the generation pipeline if Ruby versions drift.

Active areas of work

Active work centers on PR validation automation — the .github/instructions/pr-review.instructions.md and .github/workflows/pr.yml files suggest recent investment in GitHub Copilot-assisted PR review (see .github/copilot-instructions.md). The ab-results-*.json files indicate recent A/B testing of README formatting or content presentation.

Get running

git clone https://github.com/matteocrippa/awesome-swift.git && cd awesome-swift && gem install bundler && bundle install && ruby .github/convert.rb

Daily commands: ruby .github/convert.rb # regenerates README.md from contents.json. For CI validation locally: node .github/check-swift-version/index.js

Map of the codebase

  • contents.json — The single source of truth for all Swift library entries — every contributor must edit this file instead of README.md directly.
  • README.md — The auto-generated output file rendered on GitHub; understanding its structure helps contributors know what the final result looks like.
  • .github/schema.json — Defines the JSON schema that validates every entry in contents.json, enforcing required fields and data types for all contributions.
  • .github/convert.rb — The Ruby script that transforms contents.json into the README.md, making it the core build pipeline artifact.
  • .github/workflows/pr.yml — CI workflow that runs on every pull request to validate new entries against the schema and Swift version checks.
  • .github/workflows/merge.yml — CD workflow that regenerates and deploys the README.md after merges to master, completing the content pipeline.
  • .github/CONTRIBUTING.md — Contributor guidelines explaining the exact format, fields, and process required to add a new library entry.

Components & responsibilities

  • contents.json — Stores all curated Swift library and resource entries in a structured

How to make changes

Add a new Swift library entry

  1. Open contents.json and locate the correct category array (e.g. 'AI', 'Networking') — categories are top-level keys in the JSON structure. (contents.json)
  2. Add a new JSON object with all required fields as defined by the schema: name, url, description, swift_version, and any optional fields like tags or homepage. (.github/schema.json)
  3. Review CONTRIBUTING.md to confirm your entry meets style guidelines (alphabetical order within category, description length, no self-promotion). (.github/CONTRIBUTING.md)
  4. Open a pull request — the pr.yml workflow will automatically validate your entry against schema.json and check Swift version compatibility. (.github/workflows/pr.yml)

Add a new content category

  1. Add a new top-level category key with an empty array to contents.json, following the existing naming conventions. (contents.json)
  2. Update schema.json to include the new category key as a valid property so validation does not reject the new section. (.github/schema.json)
  3. Edit convert.rb to ensure the new category is picked up during README generation and rendered with the correct heading and anchor. (.github/convert.rb)
  4. Verify the table of contents anchor in README.md will be correctly generated by running the convert script locally before submitting the PR. (README.md)

Update CI validation rules

  1. Modify the schema.json to add, remove, or tighten field constraints (e.g., require a new 'homepage' field or restrict description length). (.github/schema.json)
  2. Update the pr.yml workflow if new validation steps or Node/Ruby version requirements are needed for the updated checks. (.github/workflows/pr.yml)
  3. If Swift version parsing logic changes, update the Node.js checker script accordingly. (.github/check-swift-version/index.js)
  4. Update Dangerfile to add or adjust automated PR comments that surface the new validation failures to contributors. (Dangerfile)

Update the README generation template

  1. Edit convert.rb to change how categories, entries, or badges are rendered into Markdown (e.g., add a new column or change badge style). (.github/convert.rb)
  2. Run the script locally against contents.json and inspect the output README.md to verify formatting is correct. (README.md)
  3. If the deploy process needs adjustment (e.g., new branch target), update deploy.sh accordingly. (.github/deploy.sh)
  4. Confirm merge.yml still correctly invokes the updated convert.rb and deploy.sh sequence. (.github/workflows/merge.yml)

Why these technologies

  • JSON (contents.json) — Machine-readable, diff-friendly format that allows automated validation, generation, and future tooling without coupling contributors to a specific language or framework.
  • Ruby (convert.rb) — Ruby has excellent string templating and JSON parsing support in stdlib; it is a common choice for lightweight static-site generation scripts in GitHub-hosted projects.
  • Node.js (check-swift-version) — JavaScript/Node.js tooling integrates easily with GitHub Actions and npm ecosystem, allowing reuse of semver comparison libraries for Swift version validation.
  • GitHub Actions — Native to the GitHub hosting platform; zero infrastructure cost, tightly integrated with PR events, and sufficient for a purely content-driven repository.
  • Danger (Dangerfile) — Provides structured, automated PR review comments to guide contributors without requiring manual reviewer intervention for common formatting mistakes.

Trade-offs already made

  • Single contents.json as source of truth instead of individual files per entry

    • Why: Simplifies the generation pipeline — one parse pass produces the entire README — and makes schema validation straightforward.
    • Consequence: Large merge conflicts when many contributors edit the same JSON file simultaneously; ordering disputes within categories.

  • Auto-generated README.md committed to the repository

    • Why: GitHub renders the README directly from the repo root without any server-side build step, making it instantly visible.
    • Consequence: The README is a derived artifact in version control, creating noise in git history and requiring contributors to never edit it manually.

  • Ruby for the generation script rather than a JavaScript or Python tool

    • Why: Ruby was likely the maintainer's preferred scripting language at project inception and has no additional runtime dependencies on GitHub Actions.
    • Consequence: Contributors wishing to modify the generator need Ruby knowledge; the .ruby-version file pins a specific version to avoid drift.

  • No database or CMS — pure static file approach

    • Why: Keeps the project dependency-free for consumers; anyone can clone and read the data without running a server.
    • Consequence: No search, filtering, or API capabilities; the only query interface is grep or manual browsing of the Markdown file.

Non-goals (don't propose these)

  • Providing a searchable web UI or API for querying Swift libraries
  • Automated testing or CI for the listed libraries themselves
  • Hosting or distributing any Swift code beyond the sample Hi.swift file
  • Supporting package manager integration (e.g., SPM index or CocoaPods spec)

Traps & gotchas

The README.md has a prominent warning NOT to edit it directly — all changes must go through contents.json or they will be overwritten on next merge. The .ruby-version file pins a specific Ruby version; mismatched local Ruby will cause convert.rb to fail silently or produce malformed output. The Node.js check-swift-version tool has no listed dependencies in its package.json beyond the package itself, so npm install must be run inside .github/check-swift-version/ specifically, not at the repo root.

Architecture

Concepts to learn

  • Awesome List convention — This entire repo follows the sindresorhus 'awesome' curation standard — understanding the badge criteria and quality bar explains why PRs get rejected
  • Static site generation from JSON — The repo's core pattern — contents.json is a structured data store transformed by convert.rb into Markdown, a pattern used in many documentation-as-code projects
  • Danger (automated PR review) — Dangerfile uses the Danger framework to enforce contribution rules automatically on every PR — understanding it explains why certain PRs fail CI
  • JSON Schema validation — schema.json defines the contract for contents.json entries — knowing JSON Schema helps contributors format new library entries correctly and spot why CI might reject them
  • Swift Package Manager versioning — The check-swift-version Node.js tool validates Swift version compatibility tags — understanding Swift versioning semantics is needed to correctly fill in library entries
  • GitHub Actions matrix CI — The pr.yml and merge.yml workflows orchestrate multi-step validation and deployment — understanding Actions job sequencing explains the full contribution pipeline

Related repos

  • vsouza/awesome-ios — Direct alternative covering the broader iOS ecosystem in Objective-C and Swift, often used alongside this repo
  • sindresorhus/awesome — The parent 'awesome list' meta-repo whose badge and conventions this repo follows — defines the curation standard
  • Wolg/awesome-swift — Close alternative curated Swift list in the same ecosystem, sometimes referenced for cross-checking entries
  • matteocrippa/awesome-swift — The GitHub Pages deployment target — .github/deploy.sh publishes the generated README as a browsable site
  • nicklockwood/SwiftFormat — Commonly listed library in this catalog and representative of the Swift tooling ecosystem contributors are navigating

PR ideas

To work on one of these in Claude Code or Cursor, paste: Implement the "<title>" PR idea from CLAUDE.md, working through the checklist as the task list.

Add Swift version validation unit tests to .github/check-swift-version/index.js

The .github/check-swift-version/ directory contains a Node.js script (index.js) that checks Swift versions in submitted entries, but there is no test file present in the package.json or directory listing. Without tests, regressions in version-checking logic can silently break PR validation for all contributors. Adding a test suite with Jest (already a natural fit given the Node.js setup) would safeguard the core automation that every PR depends on.

  • [ ] Add 'jest' as a devDependency in .github/check-swift-version/package.json and add a 'test' script entry
  • [ ] Create .github/check-swift-version/index.test.js covering: valid Swift version strings (e.g. '5.9', '5.10'), invalid/missing version strings, and edge cases like pre-release tags
  • [ ] Update .github/workflows/pr.yml to run 'npm test' inside .github/check-swift-version/ as a step before the Swift version check runs on PRs
  • [ ] Document the test step in .github/CONTRIBUTING.md so future contributors know how to run tests locally

Add a JSON schema validation CI step in .github/workflows/pr.yml using the existing .github/schema.json

The repo already has a .github/schema.json file that defines the structure for contents.json, but the existing .github/workflows/pr.yml does not appear to include a step that validates contents.json against this schema on every PR. This means malformed entries (wrong field types, missing required keys) can pass CI and corrupt the README generation pipeline driven by convert.rb. Adding an explicit schema validation step closes this gap.

  • [ ] Inspect .github/schema.json to confirm it targets contents.json structure (array of category/entry objects)
  • [ ] Add a new step in .github/workflows/pr.yml that installs 'ajv-cli' (npm) and runs 'ajv validate -s .github/schema.json -d contents.json' to fail the PR if contents.json is invalid
  • [ ] Add a corresponding entry in .github/CONTRIBUTING.md explaining that contents.json must conform to schema.json and how to validate locally (e.g. 'npm exec ajv-cli -- validate ...')
  • [ ] Add at least one intentionally invalid fixture file in a test/ or fixtures/ folder and document it as a schema regression example

Add automated dead-link checking GitHub Action for URLs inside contents.json

With 1099 projects listed, link rot is a real and ongoing problem for this type of curated list. There is currently no workflow file dedicated to checking that repository/project URLs in contents.json are still reachable. The existing .github/workflows/ only contains merge.yml and pr.yml. A scheduled lychee or markdown-link-check Action would automatically surface dead links on a weekly basis, making it far easier to keep the list high-quality without manual auditing.

  • [ ] Create .github/workflows/link-check.yml with a scheduled trigger (e.g. cron: '0 6 * * 1' for weekly Mondays) and a workflow_dispatch trigger for manual runs
  • [ ] Use the 'lycheeverse/lychee-action' GitHub Action pointed at contents.json and README.md to check all http/https URLs, with a config to accept 429 (rate-limited) responses as non-failures
  • [ ] Add a .lycheeignore file at the repo root to allowlist known false-positive URLs (e.g. GitHub repo URLs that require auth or return 429 under CI)
  • [ ] Update .github/CONTRIBUTING.md to mention that contributors should verify their submitted URL is live before opening a PR, and that automated weekly checks will flag dead links

Good first issues

  1. Add JSON schema validation to the CI pr.yml workflow to catch malformed contents.json entries before the convert.rb step runs — currently schema.json exists but there's no automated validation step referencing it. 2. Write a test for convert.rb that checks every category in contents.json appears correctly in the generated README.md — no tests currently exist for the conversion script. 3. Add a CI check that detects duplicate GitHub URLs in contents.json — duplicate library submissions are a common PR problem with no automated guard.

Top contributors

Recent commits

  • 6be2ad5 — Updated markdown (actions-go)
  • ac1e5c7 — Add EdgeRunner (#1926) (christopherkarani)
  • 9fd541d — Add CLOSE decision for PRs with <15 GitHub stars (#1924) (Copilot)
  • 91b6e44 — Updated markdown (actions-go)
  • 9c221b2 — Add Fazm (#1922) (vpeschenkov)
  • 89babdf — Fix copilot review instructions to stop asking users to regenerate readme (#1923) (Copilot)
  • 709cf87 — Add copilot pr review instructions (#1921) (Copilot)
  • 50c2b9b — Rename copilot-instructions.md to *.instructions.md (vpeschenkov)
  • 8d91dad — Updated markdown (actions-go)
  • 4422188 — Add TouchBridge (#1920) (vpeschenkov)

Security observations

  • Medium · No dependency version pinning in package.json — .github/check-swift-version/package.json. The package.json for 'check-swift-version' specifies version '1.0.0' but does not list any explicit dependencies with pinned versions. Without a package-lock.json or yarn.lock committed to the repository, transitive or future dependencies could be resolved to vulnerable versions at install time, enabling supply chain attacks. Fix: Ensure a package-lock.json or yarn.lock is committed to the repository. Explicitly declare and pin all runtime and development dependencies to specific versions. Consider using 'npm audit' or a tool like Dependabot to monitor for vulnerable dependencies.
  • Medium · Potentially unsafe shell script without input validation — .github/deploy.sh. The deploy.sh script in .github/ may execute shell commands as part of CI/CD workflows. Without reviewing the full content, shell scripts in automated pipelines are a common vector for command injection if they process external inputs (e.g., PR titles, branch names, or environment variables) without proper sanitization or quoting. Fix: Audit deploy.sh to ensure all variables are properly quoted, external inputs are validated/sanitized, and the principle of least privilege is applied. Avoid using 'eval' or unquoted variable expansion. Use 'set -euo pipefail' at the top of the script.
  • Medium · GitHub Actions workflow may be vulnerable to script injection — .github/workflows/pr.yml, .github/workflows/merge.yml. The workflow files (.github/workflows/merge.yml and .github/workflows/pr.yml) may use GitHub context values (e.g., github.event.pull_request.title, github.head_ref) directly in 'run' steps or environment variables. If untrusted user-supplied data from forks or PR metadata is interpolated directly into shell commands using ${{ }} syntax, it can lead to arbitrary code execution. Fix: Never interpolate github context expressions (e.g., ${{ github.event.pull_request.title }}) directly into 'run' steps. Instead, assign them to environment variables first and reference those. Use 'pull_request_target' with caution and restrict permissions with 'permissions' keys. Pin actions to full commit SHAs rather than mutable tags.
  • Low · Ruby script without dependency manifest or version locking — .github/convert.rb. The convert.rb script is present without an accompanying Gemfile or Gemfile.lock, making it impossible to audit which Ruby gem versions are in use. Outdated or unvetted gems could introduce vulnerabilities into the build/conversion pipeline. Fix: Introduce a Gemfile and Gemfile.lock specifying all required gems and their pinned versions. Run 'bundle audit' regularly to check for known vulnerabilities in gem dependencies.
  • Low · Dangerfile executing automated code review without sandboxing — Dangerfile. The Dangerfile runs automated checks as part of the CI pipeline. If it processes pull request content (such as diff text, PR titles, or file contents) and passes them to shell commands or evaluates them dynamically, it could be susceptible to injection from malicious PR contributions. Fix: Review the Dangerfile for any dynamic evaluation of untrusted PR content. Ensure Danger runs with minimal permissions and that its token has only the required scopes (e.g., read-only where possible). Pin the Danger gem version.
  • Low · External image loaded over CDN without Subresource Integrity (SRI) — README.md. The README references an external badge image from cdn.rawgit.com (https://cdn.rawgit.com/sindresorhus/awesome/...). While this is a markdown context and not directly exploitable in a browser SRI sense, it indicates a pattern of trusting external CDN resources. If similar patterns exist in any HTML output generated from this repo, it could expose users to CDN compromise. Fix: For any HTML pages generated from this repository, use Subresource Integrity (SRI) hashes for externally loaded resources. Consider self-hosting critical assets or using a trusted, version-pinned CDN URL.
  • Low · No SECURITY.md or vulnerability disclosure policy — ``. The repository does not appear to include a SECURITY.md file defining a vulnerability disclosure or responsible disclosure policy. This makes it unclear how security researchers or contributors should report security issues. Fix: undefined

LLM-derived; treat as a starting point, not a security audit.

Where to read next

Generated by RepoPilot. Verdict based on maintenance signals — see the live page for receipts. Re-run on a new commit to refresh.