The Problem
Code review tools are great at catching style issues. Linters catch bugs. But nobody answers the most critical question: "If I deploy this PR right now, what breaks in production?"
I've been burned by:
- A DB column added without a migration → 2 hours downtime
- An API response field renamed → frontend crashed silently
- Express v4 → v5 bump → middleware broke in production
So I built PR Guardian.
What It Does
PR Guardian is a GitHub Action. When you open a PR, it:
- Parses the diff (language detection, file filtering)
- Analyzes it with AI (DeepSeek, specialized prompts)
- Posts findings as a PR comment with a 1-10 risk score
What Makes It Different
Every other tool checks code quality. PR Guardian checks production risk:
| Tool | Focus |
|---|---|
| SonarQube | Code quality rules |
| CodeRabbit | Style + basic bugs |
| Sourcery | Python refactoring |
| PR Guardian | Production safety |
Real Examples
Last week it caught these in a test PR:
- SQL injection via string concatenation → CRITICAL
- Session token in localStorage → CRITICAL (XSS risk)
- Express v5 major version bump → WARNING
Tech Stack
- TypeScript + GitHub Actions SDK
- DeepSeek AI (10x cheaper than GPT-4/Claude)
- Compiled to single JS bundle with ncc
- 25 languages, 9 with deep analysis rules
Try It
- Add
.github/workflows/pr-guardian.ymlto your repo - Set DEEPSEEK_API_KEY secret
- That's it
yaml
- uses: ertaneker/pr-guardian@main
with:
github_token: ${{ secrets.GITHUB_TOKEN }}
deepseek_api_key: ${{ secrets.DEEPSEEK_API_KEY }}
GitHub Repo (https://github.com/ertaneker/pr-guardian) | Docs (https://github.com/ertaneker/pr-guardian/blob/main/docs/USAGE.md)
MIT licensed. Free for open source. Would love your feedback!
Top comments (0)