GitHub Action

Run cf-ready scan in CI on every pull request. Upload SARIF security findings to GitHub code scanning and surface readiness scores as step outputs.

Quick start

name: CF Ready

on:
  pull_request:
    branches: [main]

jobs:
  readiness:
    runs-on: ubuntu-latest
    permissions:
      contents: read
      security-events: write
    steps:
      - uses: actions/checkout@v4
      - uses: sycu8/Cloudflare-Go-Live-Readiness/action@main
        with:
          cwd: .
          fail-on-blocker: "true"

The composite action builds cf-ready from source (npm ci && npm run build), runs scan --json, uploads SARIF, and exposes parsed outputs.

Permissions

PermissionRequiredWhy
contents: readYesCheckout and read repository files for scanning
security-events: writeYes (for SARIF)Upload security-findings.sarif to GitHub code scanning
pull-requests: writeOptionalOnly needed if your workflow posts PR comments (see dogfood workflow)

Inputs

InputDefaultDescription
cwd.Project directory to scan (relative to repo root)
config""Optional path to cf-ready.config.json
fail-on-blocker"true"Fail the step when scan exit code is 1 (blockers found)
cf-ready-root.Directory containing cf-ready package.json when vendoring the action source
node-version"22"Node.js version for building cf-ready

Outputs

OutputValuesDescription
exit-code0, 1, 20 = ready, 1 = blockers, 2 = runtime error
production-readytrue / falseFrom productionReady in scan JSON
blocker-countIntegerLength of blockers array in scan JSON
overall-score0–100Weighted readiness score from scores.overall

Artifacts uploaded on success (exit code ≠ 2):

fail-on-blocker

When fail-on-blocker: "true" (default), the action exits with code 1 if cf-ready finds blockers, failing the CI step. Set to "false" to report findings without failing — useful for gradual adoption or fixture scans with expected blockers.

Exit code 2 always fails. Runtime errors (missing config, build failure) exit 2 regardless of fail-on-blocker.

Dogfood note

The cf-ready repository runs its own action on every pull request via .github/workflows/cf-ready-pr.yml:

This dogfood workflow validates the action itself. In your repo, point cwd at your application root and keep fail-on-blocker: "true" for strict gates.

- uses: ./action          # Local path when developing cf-ready
  with:
    cwd: tests/fixtures/nextjs-app
    fail-on-blocker: "false"