GitHub Action
Run cf-ready scan in CI on every pull request. Upload SARIF security findings to GitHub code scanning and surface readiness scores as step outputs.
Quick start
name: CF Ready
on:
pull_request:
branches: [main]
jobs:
readiness:
runs-on: ubuntu-latest
permissions:
contents: read
security-events: write
steps:
- uses: actions/checkout@v4
- uses: sycu8/Cloudflare-Go-Live-Readiness/action@main
with:
cwd: .
fail-on-blocker: "true"
The composite action builds cf-ready from source (npm ci && npm run build), runs scan --json, uploads SARIF, and exposes parsed outputs.
Permissions
| Permission | Required | Why |
|---|---|---|
contents: read | Yes | Checkout and read repository files for scanning |
security-events: write | Yes (for SARIF) | Upload security-findings.sarif to GitHub code scanning |
pull-requests: write | Optional | Only needed if your workflow posts PR comments (see dogfood workflow) |
Inputs
| Input | Default | Description |
|---|---|---|
cwd | . | Project directory to scan (relative to repo root) |
config | "" | Optional path to cf-ready.config.json |
fail-on-blocker | "true" | Fail the step when scan exit code is 1 (blockers found) |
cf-ready-root | . | Directory containing cf-ready package.json when vendoring the action source |
node-version | "22" | Node.js version for building cf-ready |
Outputs
| Output | Values | Description |
|---|---|---|
exit-code | 0, 1, 2 | 0 = ready, 1 = blockers, 2 = runtime error |
production-ready | true / false | From productionReady in scan JSON |
blocker-count | Integer | Length of blockers array in scan JSON |
overall-score | 0–100 | Weighted readiness score from scores.overall |
Artifacts uploaded on success (exit code ≠ 2):
security-findings.sarif→ GitHub code scanning (categorycf-ready)cf-ready-scan.json→ Actions artifact (14-day retention)
fail-on-blocker
When fail-on-blocker: "true" (default), the action exits with code 1 if cf-ready finds blockers, failing the CI step. Set to "false" to report findings without failing — useful for gradual adoption or fixture scans with expected blockers.
fail-on-blocker.
Dogfood note
The cf-ready repository runs its own action on every pull request via .github/workflows/cf-ready-pr.yml:
- Scans
tests/fixtures/nextjs-app(a Next.js fixture with intentional blockers) - Uses
fail-on-blocker: "false"because blockers are expected in the fixture - Posts a PR comment with overall score, category breakdown, and blocker count
- Uploads SARIF when the scan completes successfully
This dogfood workflow validates the action itself. In your repo, point cwd at your application root and keep fail-on-blocker: "true" for strict gates.
- uses: ./action # Local path when developing cf-ready
with:
cwd: tests/fixtures/nextjs-app
fail-on-blocker: "false"