GitHub Actions Security & Maintenance Monitor
Pricing
Pay per event
GitHub Actions Security & Maintenance Monitor
🔎 Vet third-party GitHub Actions with public repository, release, policy, advisory, and maintenance evidence for recurring CI dependency reviews.
Pricing
Pay per event
Rating
0.0
(0)
Developer
Stas Persiianenko
Maintained by CommunityActor stats
0
Bookmarked
2
Total users
1
Monthly active users
3 days ago
Last modified
Categories
Share
Monitor the public maintenance and security signals behind the GitHub Actions your CI workflows depend on.
What does it do?
Submit Marketplace URLs or references such as actions/checkout@v4.
The actor resolves public GitHub evidence into one action-focused report.
It joins repository, release, activity, license, policy, and advisory signals.
Every record includes source-level fetch status and source URLs.
The output is an evidence aid, not a security guarantee or vulnerability scan.
Who is it for?
- Platform engineers reviewing reusable workflow dependencies.
- DevOps teams maintaining an approved-actions inventory.
- Security teams refreshing third-party CI dependency reviews.
- Engineering leaders who need explainable public maintenance evidence.
- Procurement or compliance teams collecting a lightweight review trail.
Why use it?
GitHub Actions are software supply-chain dependencies. A Marketplace page alone does not show repository activity or release freshness. A repository alone may not show how an action is presented in Marketplace. This monitor keeps the workflow focused on submitted dependencies, not catalogue scraping. Use scheduled runs to re-check the same approved action list over time.
Public evidence sources
The actor uses public GitHub Marketplace HTML when a Marketplace URL is supplied.
It calls public repository, latest-release, and community-profile endpoints.
When enabled, it requests GitHub's public repository advisory endpoint.
GitHub can rate-limit or withhold individual sources without authentication.
sourceFetchStatus makes those conditions explicit in each output record.
Data fields
| Field | Meaning |
|---|---|
canonicalRepository | Resolved owner/repository backing the action |
requestedRef | Version or ref supplied after @ |
maintenanceRisk | Transparent low, medium, high, or unknown evidence classification |
riskReasons | Public-signal reasons used for the classification |
latestReleaseTag | Latest public release tag when available |
securityPolicyPresent | GitHub community-profile security-policy signal |
sourceFetchStatus | Per-source success, absence, limit, skip, or error status |
How risk classification works
High risk is assigned for strong public maintenance warning signals. Examples include an archived repository, disabled repository, or high/critical advisory. Medium risk identifies softer review signals such as missing policy or license metadata. Low means the checked public signals did not trigger a listed reason. Unknown means the action could not be resolved or key public metadata was unavailable. Review the underlying fields and your organization’s policy before making a decision.
Input: action references
Use an action reference such as actions/checkout@v4.
Use a Marketplace URL such as https://github.com/marketplace/actions/cache.
Each submitted value creates one dataset report.
References are preserved in inputAction so reports can be joined to your inventory.
Keep action references explicit and versioned in your source workflow where possible.
Input: Marketplace metadata
Enable Marketplace metadata to resolve the supplied Marketplace page.
The output can include its title, canonical repository, and verified-creator signal.
This option is useful for Marketplace-originated dependency lists.
Disable it when you already supply direct repository references and want fewer requests.
Marketplace markup can change, so inspect sourceFetchStatus in automated workflows.
Input: public advisories
Enable advisory lookup to request GitHub's public repository advisory endpoint. The actor reports an advisory count and highest severity where available. It does not claim complete advisory coverage or scan source code. Private alerts, authenticated endpoint behavior, and GitHub rate limits can affect availability. Treat absent data as unavailable evidence, not proof that no vulnerabilities exist.
Input: run limits
maxItems caps the number of submitted action values emitted in one run.
Start with a small value while testing a new workflow.
For an inventory review, submit a list of specific action references.
For scheduled monitoring, reuse a controlled list stored in your task input.
The actor does not discover or enumerate Marketplace actions by itself.
Output: repository health
Repository fields include description, default branch, archive and disabled flags. Activity fields include stars, forks, open issues, last push, and last update timestamps. License output uses the public SPDX identifier or GitHub license key when reported. Latest release fields provide tag, date, and a release URL where available. These are public indicators; they are not a maintainer endorsement or code-quality score.
Output: security context
securityPolicyPresent is derived from GitHub's public community profile.
publicAdvisoryCount and highestAdvisorySeverity are available when enabled and returned.
disclaimer is included in every row to preserve the assessment boundary in exports.
Use the output as evidence to prioritize deeper review, not to approve an action automatically.
Consult your security team for policy, threat modeling, and vulnerability remediation decisions.
Output: source transparency
Each report includes sourceUrls for the public pages and APIs consulted.
Each source has a status of ok, not_found, rate_limited, error, or skipped.
A 404 can mean that a particular optional source does not exist.
A rate limit indicates that GitHub restricted unauthenticated access for that response.
This allows downstream automation to distinguish missing data from a failed run.
How much does it cost to monitor GitHub Actions?
The actor uses pay-per-event pricing: a small start event plus one report event per output item.
Current starting price is $0.005 per run plus $0.000028689 per action report at the Bronze tier.
Volume tiers can reduce the per-report price.
Pricing is shown in the Apify Console before a run and may be updated with notice.
Use maxItems to control how many reports a test or scheduled run creates.
Example input
{"actions": ["actions/checkout@v4", "https://github.com/marketplace/actions/cache"],"includeMarketplaceMetadata": true,"includeAdvisories": true,"maxItems": 10}
The first value resolves directly from an action reference. The second value also collects available Marketplace context.
Example workflow
Create a task called “Approved CI Action Monitor”. Add the action references used by your organization’s workflows. Schedule it weekly or after a dependency-policy change. Export the dataset to your review system or spreadsheet. Escalate high-risk reasons into your organization’s existing security review process.
Tips for reliable monitoring
Use explicit owner/repository@ref values instead of ambiguous display names.
Keep the same inventory list across scheduled runs for useful comparisons.
Use low limits for initial validation and inspect source statuses.
Retry later after a GitHub rate limit rather than treating it as negative evidence.
Use direct repository references when Marketplace HTML is not needed.
Integrations
Send the dataset to a spreadsheet for an approved-actions register.
Use an Apify webhook to open a ticket when a report contains high risk.
Compare exports over time to find archived repositories or stale releases.
Join canonicalRepository with your workflow dependency inventory.
Use source URLs in a reviewer-facing audit record.
API usage: Node.js
import { ApifyClient } from 'apify-client';const client = new ApifyClient({ token: process.env.APIFY_TOKEN });const run = await client.actor('automation-lab/github-actions-security-maintenance-monitor').call({actions: ['actions/checkout@v4'], maxItems: 1,});console.log(run.defaultDatasetId);
API usage: Python
from apify_client import ApifyClientclient = ApifyClient("YOUR_APIFY_TOKEN")run = client.actor("automation-lab/github-actions-security-maintenance-monitor").call(run_input={"actions": ["actions/checkout@v4"], "maxItems": 1})print(run["defaultDatasetId"])
API usage: cURL
curl -X POST "https://api.apify.com/v2/acts/automation-lab~github-actions-security-maintenance-monitor/runs?token=YOUR_APIFY_TOKEN" \-H 'Content-Type: application/json' \-d '{"actions":["actions/checkout@v4"],"maxItems":1}'
MCP
Use this actor from Apify MCP with the scoped tool URL:
https://mcp.apify.com?tools=automation-lab/github-actions-security-maintenance-monitor.
Add the scoped server in Claude Code:
claude mcp add --transport http apify-actions-monitor \'https://mcp.apify.com?tools=automation-lab/github-actions-security-maintenance-monitor'
For Claude Desktop, add this MCP server configuration and restart the app:
{"mcpServers":{"apify-actions-monitor":{"url":"https://mcp.apify.com?tools=automation-lab/github-actions-security-maintenance-monitor"}}}
Authorize your Apify account when prompted. Example prompt: “Monitor actions/checkout@v4 and return its latest release and risk reasons.” Example prompt: “Check these Marketplace action URLs and list unavailable public evidence sources.” The actor remains useful for targeted dependency review rather than generic GitHub search.
Legality and responsible use
This actor accesses public GitHub pages and documented public GitHub endpoints. You are responsible for ensuring your use complies with GitHub terms and applicable law. Do not use the result to make claims about a maintainer or project without review. Respect GitHub rate limits and avoid unnecessary high-frequency runs. Do not treat public metadata as a substitute for a security assessment.
Limitations
Unauthenticated GitHub API limits can make an optional source unavailable. Marketplace HTML can change and a page may not expose a linked repository. Public advisory availability varies by repository and endpoint behavior. The actor does not inspect workflow YAML, source code, private alerts, or dependencies. A low classification reflects only the public signals checked by this version.
Troubleshooting
Why is maintenance risk unknown? The Marketplace page may not resolve to a repository, or repository metadata was unavailable.
Why is advisory output empty? GitHub may return no public records, restrict the endpoint, or advisory lookup may be disabled.
Why did a source show rate_limited? Wait for GitHub's unauthenticated quota to recover and rerun the affected list.
Why does a Marketplace URL have a different repository? Use the emitted canonicalRepository and source URL to review the public linkage.
FAQ
Does this actor guarantee an action is safe? No. It is an evidence-based public-signal monitor only.
Can I monitor the same action repeatedly? Yes. Reuse a task input and schedule it for periodic checks.
Does it scrape the full Marketplace? No. It only evaluates the action values you submit.
Can I disable optional requests? Yes. Turn off Marketplace metadata or advisory lookup in input.
Related scrapers
For broad Marketplace listing discovery, use the GitHub Marketplace Scraper. For advisory-centric exports, use the GitHub Security Advisories Scraper. For repository-wide extraction, use the GitHub Scraper. Choose this monitor when the buyer need is ongoing CI action dependency vetting. The narrow output contract keeps review data focused and explainable.
Changelog
See .actor/CHANGELOG.md for user-facing release notes.