GitHub Action
Run the FlagShark scanner inside GitHub Actions, post a PR comment, and optionally fail the build below a health threshold.
FlagShark/flagshark is the official FlagShark GitHub Action. It runs the same detection engine as the CLI, posts a sticky comment on every pull request, and writes a job summary to the Actions UI. You can optionally fail the workflow when your flag health score drops below a threshold you set.
No FlagShark account required. The Action is open-source (MIT) and lives at FlagShark/flagshark.
Quickstart
Drop this into .github/workflows/flagshark.yml:
name: FlagShark
on: [pull_request]
permissions:
contents: read
pull-requests: write
jobs:
flagshark:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0 # Required: git blame (flag age) and the changed-file diff need full history
- uses: FlagShark/flagshark@v2
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}On the next PR, FlagShark scans the changed files, posts a comment, and writes a job summary.
pull-requests: write is needed so the Action can post (and update) its PR comment; contents: read lets it read the diff. If you set output-format: none, you can drop pull-requests: write.
@v2 tracks the latest v2.x (staleness threshold in days, the current behavior shown here). You can pin more strictly to a full version tag or a commit SHA for supply-chain control.
@v1 is the legacy line where threshold is measured in months (default 6). If you're still on @v1, the threshold value means months, not days; upgrade to @v2 for the day-based behavior documented here.
fetch-depth: 0 is required. The default actions/checkout@v4 performs a shallow clone, which breaks git blame (used to determine flag age) and prevents the changed-file diff from resolving against the base branch.
Inputs
All inputs are optional.
| Input | Default | Description |
|---|---|---|
scan | changed | changed — only files modified in the PR (fast). full — entire repository (full health score). |
threshold | 30 | Staleness threshold in days. Flags older than this are marked stale. |
fail-threshold | 0 | Fail the workflow if the health score drops below this value. 0 = never fail. |
output-format | markdown | PR comment format: markdown (default) or none to disable the comment entirely. |
sarif | — | Write SARIF v2.1.0 output to this path. Omit to skip SARIF output. |
no-cache | false | Skip the platform-flag cache and force a re-fetch from the connected flag platform. |
fail-on-error | true | Fail the build when any missing-in-platform flag is detected. |
missing-in-platform, archived-in-platform), and therefore fail-on-error and the error-count output, only apply when you've connected a flag platform via the platforms: block in .flagshark.yml. Without one, no platform signals are produced and fail-on-error has no effect.
Pass inputs via with::
- uses: FlagShark/flagshark@v2
with:
scan: full # scan the whole repo, not just PR files
threshold: 7 # stricter staleness window
fail-threshold: 80 # block the PR below 80/100 health
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}Outputs
The Action sets the following outputs you can chain into later steps.
| Output | Description |
|---|---|
health-score | Flag health score (0–100) |
stale-count | Number of unique stale flag names found |
total-count | Total number of flags detected |
sarif-path | Absolute path to the SARIF file written (only set when sarif: input is provided) |
error-count | Number of unique flag names with error-severity signals (e.g. missing-in-platform) |
Reference outputs in a later step by giving the Action an id: and using steps.<id>.outputs.<name>:
jobs:
flagshark:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- uses: FlagShark/flagshark@v2
id: flagshark
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Enforce health gate
run: |
echo "Health score: ${{ steps.flagshark.outputs.health-score }}"
echo "Stale flags: ${{ steps.flagshark.outputs.stale-count }}"
echo "Flags with errors: ${{ steps.flagshark.outputs.error-count }}"What the Action produces
Each run produces up to four artifacts:
- Sticky PR comment: Posted on
pull_requestevents when at least one flag is found andoutput-formatismarkdown. If a comment from a previous push already exists (identified by a hidden HTML marker), the Action updates it in place rather than stacking new ones. - Actions job summary: Written on every run. Headed "🦈 FlagShark Scan Results", it includes the health score, a metrics table, detected providers, and the top 15 stale flags. Visible under the Summary tab on the workflow run page, useful for scheduled scans and pushes to
mainwhere there is no PR comment. - Status check:
core.setFailed()is called whenfail-thresholdis exceeded orfail-on-errortriggers amissing-in-platformerror, failing the workflow step and any required branch-protection check wired to it. - SARIF file: Written to the path specified by the
sarif:input (optional). Thesarif-pathoutput contains the resolved absolute path.
Gating the merge
Set fail-threshold to block PRs whose health score falls below a target. Once the workflow has run on the default branch at least once, GitHub recognizes the check name and you can mark it required under Settings → Branches → Branch protection rules.
- uses: FlagShark/flagshark@v2
with:
fail-threshold: 80 # Block merges when health score drops below 80
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}With the default fail-threshold: 0, the Action only reports; it never fails the workflow even if your code is full of stale flags.
SARIF → GitHub Code Scanning
Set the sarif: input to emit a SARIF file, then upload it with github/codeql-action/upload-sarif@v3. Stale flags then appear in the repo's Security → Code Scanning tab alongside other static-analysis findings.
jobs:
flagshark:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- uses: FlagShark/flagshark@v2
id: flagshark
with:
sarif: flagshark.sarif
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- uses: github/codeql-action/upload-sarif@v3
if: always()
with:
sarif_file: ${{ steps.flagshark.outputs.sarif-path }}For the full GitHub integration setup, see GitHub Integration.
Runtime details
The Action runs on Node 20.
Related Documentation
- FlagShark CLI: The same scanner, run locally or in any CI
- Configuration:
.flagshark.ymlfor custom providers and exclusions - Library (@flagshark/core): use the detection engine directly in your own tooling