| id | SCO-QzPQi5eRBA |
|---|
Production readiness checks on every pull request. 22 checks, a 0-100 Score, posted as a PR comment.
Astro Score is the same diagnostic that powers the Vibe Code Report and useastro.com/score. The Action runs the same 22 checks against your repo on every PR and posts the results as a comment, so you see what would break in production before it ships.
Add .github/workflows/score.yml to your repo:
name: Astro Score
on: [pull_request]
jobs:
score:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: use-astro/score-action@v1That is the whole install. The Action will check out your repo, run the 22 checks, and post a comment on the PR with the Score and the failing checks.
| Name | Default | Description |
|---|---|---|
github-token |
${{ github.token }} |
Token used to post the PR comment. The default workflow token works for public repos. |
fail-on-score-below |
0 |
Fail the workflow if the Score is below this number. 0 disables the gate. |
comment-on-pr |
true |
Post the Score as a PR comment. Set to false if you want outputs only. |
post-badge |
false |
Reserved for v1.1. No effect today. |
api-endpoint |
https://useastro.com |
Reserved for v1.1 backend submission. Unused today. |
| Name | Description |
|---|---|
score |
The overall Score (0-100). Empty string if the repo is not a JS/TS project. |
report-url |
A shareable URL to the full report for this repo. |
- uses: use-astro/score-action@v1
with:
fail-on-score-below: 60The Action exits non-zero if the Score is below 60. Use this once you know your repo's typical Score and want to prevent regressions.
- id: score
uses: use-astro/score-action@v1
with:
comment-on-pr: false
- name: Print the Score
run: echo "Astro Score is ${{ steps.score.outputs.score }}. See ${{ steps.score.outputs.report-url }}"on:
pull_request:
push:
branches: [main]
jobs:
score:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: use-astro/score-action@v1Push runs do not post a PR comment (there is no PR), but they still set the score and report-url outputs.
The same rubric as the public scanner:
- Error boundaries, logging, observability
- API auth, input validation, rate limiting
- Timeout protection on external calls
- Database transactions, migrations, query safety
- Environment separation, secret handling, .env hygiene
- CI/CD config, lockfile, hot-field indexes
- Cookie and session flag safety
- Open CORS on authenticated APIs
- Client/server boundary violations
- Cross-tenant query leakage
- Webhook signature verification
- Unrestricted file uploads
- JWT in localStorage
The full list and methodology lives at useastro.com/vibe-code-report/#methodology.
JavaScript and TypeScript repos. The Action detects the framework (Next.js, Remix, SvelteKit, Nuxt, Astro, Express, Hono, Fastify, NestJS, and more) and adjusts the relevant checks.
Repos that are not JS/TS get skipped with a warning, no PR comment.
MIT. See LICENSE.
- useastro.com/score. Paste any GitHub URL, get the same Score in your browser.
- The Vibe Code Report. What we learned scanning 100,000 AI-generated repos.