This document explains the internal GitHub Actions workflow for the GitHub Scanner project.
The repo-health-scan.yml workflow is designed to automatically scan GitHub organizations for repository health metrics. It provides flexible triggering options and intelligent organization detection.
The workflow automatically triggers when code is pushed to the scan branch:
git checkout -b scan
git push origin scanThe workflow can be manually triggered from the GitHub Actions UI with optional parameters:
- github_org: Override organization to scan
- pr_threshold_days: Days threshold for considering PRs as old (default: 30)
The workflow uses a priority-based system to determine which GitHub organization to scan:
-
Manual Input (highest priority)
- When manually triggering the workflow, the
github_orginput overrides all other sources
- When manually triggering the workflow, the
-
Commit Message
- If the latest commit message contains
GITHUB_ORG=organization-name, it will use that organization - Example commit message:
"Fix scanner bug GITHUB_ORG=my-company"
- If the latest commit message contains
-
Repository Secret (fallback)
- Uses the
GITHUB_ORGsecret configured in repository settings - Go to Settings → Secrets and variables → Actions → New repository secret
- Uses the
If no organization is found through any of the above methods, the workflow will:
- Display clear error messages
- Provide instructions on how to configure the organization
- Exit with failure status
git add .
git commit -m "Update scanner configuration GITHUB_ORG=vo-ecosystem"
git push origin scan- Go to Actions tab in GitHub
- Select "Repository Health Scan"
- Click "Run workflow"
- Enter organization name in
github_orgfield - Optionally adjust
pr_threshold_days
- Set
GITHUB_ORGsecret tovo-ecosystemin repository settings - Push any commit to
scanbranch - Workflow will automatically use the secret value
- Fetches the complete git history (
fetch-depth: 0) - Required to access commit messages for organization detection
- Executes the priority-based organization detection logic
- Sets the organization as an output variable for subsequent steps
- Provides clear logging of which source was used
- Executes
make freshcommand with determined environment variables - Uses the detected organization and configurable PR threshold
- Displays scan parameters for transparency
- Creates artifacts with scan results
- Artifact naming includes organization and run number for easy identification
- Sets 30-day retention period for reports
The workflow sets these environment variables for the scanner:
GITHUB_TOKEN: Automatically provided by GitHub ActionsGITHUB_ORG: Determined through the priority system described aboveOLD_PR_THRESHOLD_DAYS: From manual input or defaults to 30
Artifacts are named: health-report-{organization}-{run_number}
Examples:
health-report-vo-ecosystem-123health-report-my-company-456
- JSON reports with detailed scan results
- Repository health metrics
- Lists of stale branches and old pull requests
- Reports are retained for 30 days
- Can be downloaded from the Actions run page
The workflow uses the default GITHUB_TOKEN which has:
- Read access to the repository
- Access to organization repositories (if the token has appropriate permissions)
GITHUB_ORGsecret is optional but recommended for consistent scans- Never hardcode sensitive information in commit messages
- Organization names are generally not sensitive, so commit message usage is acceptable
-
"No GitHub organization specified" Error
- Solution: Set
GITHUB_ORGsecret or include it in commit message
- Solution: Set
-
Permission Denied Errors
- Solution: Ensure the repository has access to scan the target organization
- May require organization-level token or app installation
-
Workflow Not Triggering on Push
- Verify you're pushing to the
scanbranch specifically - Check that the workflow file is in the default branch
- Verify you're pushing to the
-
Commit Message Not Parsed
- Ensure format is exactly
GITHUB_ORG=organization-name - No spaces around the equals sign
- Organization name should not contain spaces
- Ensure format is exactly
-
Check Workflow Logs
- The "Determine GitHub Organization" step shows which source was used
- Look for clear messages about organization detection
-
Verify Commit Messages
git log -1 --pretty=%B # Shows the latest commit message -
Test Manual Trigger
- Use manual trigger to test with known organization
- Helps isolate organization detection issues
- Use commit message method for testing different organizations
- Create feature branches and merge to
scanbranch for testing
- Set
GITHUB_ORGsecret for consistent organization scanning - Use manual triggers for ad-hoc scans of different organizations
- Monitor artifact retention and download important reports
- The
scanbranch can be used as a deployment trigger - Combine with other workflows for comprehensive repository management
- Consider scheduling regular pushes to
scanbranch for automated scanning
The workflow can be extended to:
- Send notifications to Slack/Teams channels
- Create issues automatically for repositories with problems
- Generate summary reports for management
- Integrate with project management tools
- Review and update the PR threshold based on team practices
- Monitor artifact storage usage
- Update Python dependencies in the scanner
- Set up notifications for workflow failures
- Review scan results regularly
- Track trends in repository health over time