GitHub Release Risk Monitor avatar

GitHub Release Risk Monitor

Pricing

Pay per usage

Go to Apify Store
GitHub Release Risk Monitor

GitHub Release Risk Monitor

Track GitHub releases and extract structured risk signals: breaking changes, security fixes, migrations, custom keyword flags, and importance scoring. Built for AI agents, CI/CD pipelines, dependency monitoring, and product research.

Pricing

Pay per usage

Rating

0.0

(0)

Developer

Eren Senses

Eren Senses

Maintained by Community

Actor stats

0

Bookmarked

2

Total users

1

Monthly active users

6 days ago

Last modified

Share

Apify

Track GitHub releases and detect breaking changes, security fixes, migrations, and important keywords — for AI agents, DevOps workflows, dependency monitoring, and product research.

Not a release collector. A risk signal extractor that turns raw changelogs into structured, scorable intelligence.

Intelligence is rule-based, not AI-generated. Risk flags, keyword matching, and importance scoring use deterministic regex + an additive formula — no LLM calls, no model inference. The intelligence input field accepts JSON overrides for custom rules, not prompt configuration.

Why this exists

Raw release data is cheap. Analyzed, risk-flagged, ready-to-consume signals are premium.

This Actor gives you:

  • SemVer classificationmajor / minor / patch from tag names
  • Breaking change detectionBREAKING CHANGE, migration required, backwards incompatible
  • Security fix detectionCVE-*, security patch, vulnerability
  • Custom keyword flags — your watchlist, auto-detected in every release
  • Importance scoring — 0–100 rule-based score (breaking+50, security+40, migration+30, major+25, keyword+10 each)
  • Only flagged mode — skip routine patches, emit only what matters
  • Stateful monitoring — cross-run tracking; second run emits zero duplicates
  • Rate-limit logging — reads X-RateLimit-Remaining headers, warns on low quota
  • Request delay — configurable ms between repos to smooth traffic

🎯 Use Cases

Monitor dependencies weekly

{
"repositories": ["vercel/next.js", "nestjs/nest", "microsoft/vscode", "apache/httpd"],
"onlyFlagged": true,
"outputFormat": "compact",
"requestDelayMs": 250
}

→ Get a clean weekly briefing: what changed, what's risky, what needs migration.

Find security releases across 50 repos

{
"repositories": ["expressjs/express", "fastify/fastify", "h5bp/html5-boilerplate"],
"onlyFlagged": true,
"customKeywords": ["security", "CVE", "vulnerability"],
"outputFormat": "compact"
}

→ Security team gets a focused list of releases that need review.

Feed release signals into AI agents / MCP workflows

{
"repositories": ["apify/apify-sdk-js", "apify/crawlee", "apify/apify-cli"],
"outputFormat": "compact",
"sinceDate": "2026-06-01"
}

→ AI agent receives structured release intelligence: {releaseType, importanceScore, riskFlags, shortSummary} — no raw markdown to parse.

⚙️ Input

FieldTypeDefaultDescription
repositoriesstring[]requiredowner/repo or full GitHub URL
tokenstring (secret)GitHub PAT (5,000 req/h, private repos)
maxReleasesint10Per repo (1–100)
includePrereleasesboolfalseInclude alpha/beta/rc
onlyFlaggedboolfalseEmit only releases with risk/keyword flags
sinceDatestringISO 8601 start date (e.g. "2026-07-01")
customKeywordsstring[]Extra keywords to detect
requestDelayMsint0Delay between repo API calls (ms)
outputFormatenumcompactcompact or full

📦 Output

FieldTypeExample
repostringnestjs/nest
tagNamestringv11.1.27
releaseNamestringv11.1.27
releaseTypeenumpatch
importanceScoreint (0–100)10
riskFlagsstring[]["migration"]
keywordFlagsstring[]["deprecated"]
truncatedBodystringCleaned first 300 chars
publishedAtstring2026-06-15T09:17:02Z
isPrereleaseboolfalse
isBotReleaseboolfalse
authorstringkamilmysliwiec
htmlUrlstringhttps://github.com/...
bodystringfull mode only
repoStarsint68400
repoLastCommitDatestring2026-07-03T14:22:01Z
repoDefaultBranchstringmain
rulesetVersionstring1.0

Bold = intelligence fields. isBreaking/isSecurityFix booleans removed — use riskFlags.includes('breaking-change') / riskFlags.includes('security') instead.

Full schema defined in .actor/dataset_schema.json with two views: Signals (quick triage) and Full Details.

🧪 Local Development

cd tr-github-release-collector
npm install
npm run build
# Create local input
mkdir -p storage/key_value_stores/default
cat > storage/key_value_stores/default/INPUT.json << 'EOF'
{"repositories":["nestjs/nest"],"maxReleases":3,"onlyFlagged":false}
EOF
# Run
APIFY_LOCAL_STORAGE_DIR=./storage npm start
# Second run — stateful, no duplicate output
APIFY_LOCAL_STORAGE_DIR=./storage npm start
# View output
cat storage/datasets/default/000000001.json

Resetting state

Delete the state file to reset all tracking:

$rm -f storage/GITHUB_RELEASE_MONITOR_STATE.json

Or on the Apify platform, clear the default key-value store.

🚀 Deploy

apify login
apify push

⚠️ Rate Limits

Unauthenticated GitHub API usage is limited to 60 requests/hour.
This Actor makes 2 API calls per repository per run (one for releases, one for repo metadata), so monitoring ~25 repositories in a single run will exhaust the free quota.

  • For monitoring more than ~25 repos per run, provide a GitHub token via the token input field (raises limit to 5,000 req/h, enough for ~2,500 repos).
  • The requestDelayMs option helps avoid bursty requests, but does not increase the hourly GitHub API quota.
  • The Actor logs X-RateLimit-Remaining headers on every API call and warns when quota is low.

🔍 Intelligence Details

Importance Score

Additive rule-based formula, capped to [0, 100] via Math.max(0, Math.min(100, score)):

SignalWeight
Baseline10
breaking-change flag+50
security flag+40
migration flag+30
major SemVer+25
minor SemVer+5
Each custom keyword match+10 each
Prerelease−15

Overflow example: breaking(50) + security(40) + major(25) = 115 → capped to 100.
Calibration: 100 = multi-risk critical release. Single minor patches score ~0.

State / Dedup

Cross-run dedup compares publishedAt timestamps. A release seen in a previous run is skipped.

⚠️ If a maintainer edits a release body after publication (e.g. adds CVE details later), the Actor will not reprocess it — the timestamp doesn't change. For critical dependencies, periodically reset the state file (see Local Development).

Custom Keywords

Matching is case-insensitive substring. Example: "security" matches "Security", "securityContext", "cybersecurity". Use specific phrases like "security fix", "CVE-2024" to reduce false positives.

🧱 Stack

  • Node.js 22 + TypeScript
  • Apify SDK 3.7
  • GitHub REST API (no scraping libs)
  • File-based state persistence

📄 License

MIT