ReleaseRun Stack Health Check

March 12, 2026 ยท View on GitHub

GitHub Marketplace License: MIT

Scan your project for end-of-life dependencies, known CVEs, and version health issues. Get an A-F grade for your entire tech stack in CI.

Quick Start

- uses: Releaserun/releaserun-action@v2

That's it. Add it to any workflow and it'll scan your project, post a health report as a PR comment, and optionally fail the build if your stack health drops below a threshold.

What It Checks

  • package.json / package-lock.json (Node.js, npm)
  • requirements.txt / Pipfile (Python)
  • go.mod (Go)
  • Gemfile / Gemfile.lock (Ruby)
  • pom.xml (Java/Maven)
  • Dockerfile (Docker base images)
  • docker-compose.yml (Service versions)
  • .terraform.lock.hcl (Terraform providers)

For each detected technology, it checks:

  • Current version vs latest
  • End-of-life status and dates
  • Known CVEs from OSV database
  • Overall health grade (A through F)

Usage

Basic (scan and comment on PRs)

name: Stack Health
on: [pull_request]

jobs:
  health-check:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: Releaserun/releaserun-action@v2

Fail on low grades

- uses: Releaserun/releaserun-action@v2
  with:
    fail-on: 'D'  # Fail if any tech grades D or F

Scan a specific directory

- uses: Releaserun/releaserun-action@v2
  with:
    path: './backend'

JSON output for scripting

- uses: Releaserun/releaserun-action@v2
  id: health
  with:
    format: 'json'
    comment: 'false'

- run: echo "Grade is ${{ steps.health.outputs.grade }}"

Auto-update README badges

When update-readme is true, the action runs releaserun readme --write on PRs to commit version-specific badges directly to your README:

name: Stack Health
on: [pull_request]

jobs:
  health-check:
    runs-on: ubuntu-latest
    permissions:
      contents: write
      pull-requests: write
    steps:
      - uses: actions/checkout@v4
      - uses: Releaserun/releaserun-action@v2
        with:
          update-readme: 'true'

Version-specific badge output

As of CLI 1.1.0, badges are version-specific. The badge-markdown output contains copy-paste-ready markdown:

- uses: Releaserun/releaserun-action@v2
  id: health

- run: echo "${{ steps.health.outputs.badge-markdown }}"
  # Example output:
  # [![Node.js 20 Health](https://img.releaserun.com/badge/health/nodejs/20.svg)](https://releaserun.com/nodejs/)
  # [![Python 3.11 Health](https://img.releaserun.com/badge/health/python/3.11.svg)](https://releaserun.com/python/)

Scheduled checks

name: Weekly Stack Health
on:
  schedule:
    - cron: '0 9 * * 1'  # Every Monday at 9am

jobs:
  health-check:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: Releaserun/releaserun-action@v2
        with:
          comment: 'false'
          fail-on: 'D'

Ready-to-use Examples

The examples/ directory has copy-paste workflow files:

FileUse case
basic.ymlMinimal setup โ€” scan on push and PRs, fail only on F
pr-comment.ymlHealth report on every PR, never blocks merge
weekly-report.ymlMonday audit + auto-create issue if grade drops to C/D/F
strict.ymlBlock merges if any technology grades C or below

Inputs

InputDefaultDescription
path.Directory to scan
fail-onFFail if grade is at or below this (A/B/C/D/F/none)
formattableOutput format: table or json
commenttruePost results as PR comment
badgetrueInclude health badges in PR comment
update-readmefalseAuto-update README with health badges on PRs

Outputs

OutputDescription
gradeOverall stack health grade (A-F)
technologiesNumber of technologies detected
eol-countNumber of EOL technologies
cve-countTotal CVE count
reportFull JSON report
badge-markdownVersion-specific badge markdown for READMEs

PR Comment Example

The action posts a formatted table as a PR comment:

๐ŸŸก Stack Health Report โ€” Grade: B

MetricValue
Technologies scanned5
EOL dependencies1
Known CVEs3
Overall gradeB

Details

TechnologyVersionEOLCVEsGrade
Node.js20.11.02026-04-300A
Python3.11.72027-10-241B
PostgreSQL15.42027-11-112B
Docker25.0Active0A
Kubernetes1.282025-10-280C

License

MIT