GitHub Release Risk Monitor
Pricing
Pay per usage
GitHub Release Risk Monitor
Track GitHub releases and extract structured risk signals: breaking changes, security fixes, migrations, custom keyword flags, and importance scoring. Built for AI agents, CI/CD pipelines, dependency monitoring, and product research.
Pricing
Pay per usage
Rating
0.0
(0)
Developer
Eren Senses
Maintained by CommunityActor stats
0
Bookmarked
2
Total users
1
Monthly active users
6 days ago
Last modified
Categories
Share
Track GitHub releases and detect breaking changes, security fixes, migrations, and important keywords — for AI agents, DevOps workflows, dependency monitoring, and product research.
Not a release collector. A risk signal extractor that turns raw changelogs into structured, scorable intelligence.
Intelligence is rule-based, not AI-generated. Risk flags, keyword matching, and importance scoring use deterministic regex + an additive formula — no LLM calls, no model inference. The
intelligenceinput field accepts JSON overrides for custom rules, not prompt configuration.
Why this exists
Raw release data is cheap. Analyzed, risk-flagged, ready-to-consume signals are premium.
This Actor gives you:
- SemVer classification —
major/minor/patchfrom tag names - Breaking change detection —
BREAKING CHANGE,migration required,backwards incompatible - Security fix detection —
CVE-*,security patch,vulnerability - Custom keyword flags — your watchlist, auto-detected in every release
- Importance scoring — 0–100 rule-based score (breaking+50, security+40, migration+30, major+25, keyword+10 each)
- Only flagged mode — skip routine patches, emit only what matters
- Stateful monitoring — cross-run tracking; second run emits zero duplicates
- Rate-limit logging — reads
X-RateLimit-Remainingheaders, warns on low quota - Request delay — configurable ms between repos to smooth traffic
🎯 Use Cases
Monitor dependencies weekly
{"repositories": ["vercel/next.js", "nestjs/nest", "microsoft/vscode", "apache/httpd"],"onlyFlagged": true,"outputFormat": "compact","requestDelayMs": 250}
→ Get a clean weekly briefing: what changed, what's risky, what needs migration.
Find security releases across 50 repos
{"repositories": ["expressjs/express", "fastify/fastify", "h5bp/html5-boilerplate"],"onlyFlagged": true,"customKeywords": ["security", "CVE", "vulnerability"],"outputFormat": "compact"}
→ Security team gets a focused list of releases that need review.
Feed release signals into AI agents / MCP workflows
{"repositories": ["apify/apify-sdk-js", "apify/crawlee", "apify/apify-cli"],"outputFormat": "compact","sinceDate": "2026-06-01"}
→ AI agent receives structured release intelligence: {releaseType, importanceScore, riskFlags, shortSummary} — no raw markdown to parse.
⚙️ Input
| Field | Type | Default | Description |
|---|---|---|---|
repositories | string[] | required | owner/repo or full GitHub URL |
token | string (secret) | — | GitHub PAT (5,000 req/h, private repos) |
maxReleases | int | 10 | Per repo (1–100) |
includePrereleases | bool | false | Include alpha/beta/rc |
onlyFlagged | bool | false | Emit only releases with risk/keyword flags |
sinceDate | string | — | ISO 8601 start date (e.g. "2026-07-01") |
customKeywords | string[] | — | Extra keywords to detect |
requestDelayMs | int | 0 | Delay between repo API calls (ms) |
outputFormat | enum | compact | compact or full |
📦 Output
| Field | Type | Example |
|---|---|---|
repo | string | nestjs/nest |
tagName | string | v11.1.27 |
releaseName | string | v11.1.27 |
releaseType | enum | patch |
importanceScore | int (0–100) | 10 |
riskFlags | string[] | ["migration"] |
keywordFlags | string[] | ["deprecated"] |
truncatedBody | string | Cleaned first 300 chars |
publishedAt | string | 2026-06-15T09:17:02Z |
isPrerelease | bool | false |
isBotRelease | bool | false |
author | string | kamilmysliwiec |
htmlUrl | string | https://github.com/... |
body | string | full mode only |
repoStars | int | 68400 |
repoLastCommitDate | string | 2026-07-03T14:22:01Z |
repoDefaultBranch | string | main |
rulesetVersion | string | 1.0 |
Bold = intelligence fields. isBreaking/isSecurityFix booleans removed — use riskFlags.includes('breaking-change') / riskFlags.includes('security') instead.
Full schema defined in .actor/dataset_schema.json with two views: Signals (quick triage) and Full Details.
🧪 Local Development
cd tr-github-release-collectornpm installnpm run build# Create local inputmkdir -p storage/key_value_stores/defaultcat > storage/key_value_stores/default/INPUT.json << 'EOF'{"repositories":["nestjs/nest"],"maxReleases":3,"onlyFlagged":false}EOF# RunAPIFY_LOCAL_STORAGE_DIR=./storage npm start# Second run — stateful, no duplicate outputAPIFY_LOCAL_STORAGE_DIR=./storage npm start# View outputcat storage/datasets/default/000000001.json
Resetting state
Delete the state file to reset all tracking:
$rm -f storage/GITHUB_RELEASE_MONITOR_STATE.json
Or on the Apify platform, clear the default key-value store.
🚀 Deploy
apify loginapify push
⚠️ Rate Limits
Unauthenticated GitHub API usage is limited to 60 requests/hour.
This Actor makes 2 API calls per repository per run (one for releases, one for repo metadata), so monitoring ~25 repositories in a single run will exhaust the free quota.
- For monitoring more than ~25 repos per run, provide a GitHub token via the
tokeninput field (raises limit to 5,000 req/h, enough for ~2,500 repos). - The
requestDelayMsoption helps avoid bursty requests, but does not increase the hourly GitHub API quota. - The Actor logs
X-RateLimit-Remainingheaders on every API call and warns when quota is low.
🔍 Intelligence Details
Importance Score
Additive rule-based formula, capped to [0, 100] via Math.max(0, Math.min(100, score)):
| Signal | Weight |
|---|---|
| Baseline | 10 |
breaking-change flag | +50 |
security flag | +40 |
migration flag | +30 |
major SemVer | +25 |
minor SemVer | +5 |
| Each custom keyword match | +10 each |
| Prerelease | −15 |
Overflow example: breaking(50) + security(40) + major(25) = 115 → capped to 100.
Calibration: 100 = multi-risk critical release. Single minor patches score ~0.
State / Dedup
Cross-run dedup compares publishedAt timestamps. A release seen in a previous run is skipped.
⚠️ If a maintainer edits a release body after publication (e.g. adds CVE details later), the Actor will not reprocess it — the timestamp doesn't change. For critical dependencies, periodically reset the state file (see Local Development).
Custom Keywords
Matching is case-insensitive substring. Example: "security" matches "Security", "securityContext", "cybersecurity". Use specific phrases like "security fix", "CVE-2024" to reduce false positives.
🧱 Stack
- Node.js 22 + TypeScript
- Apify SDK 3.7
- GitHub REST API (no scraping libs)
- File-based state persistence
📄 License
MIT