A GitHub Action and CLI that detects breaking changes before release and generates plain English migration notes
Project description
📡 Downstream Breakage Radar
Detect breaking changes before they break your users.
A GitHub Action and CLI that scans your pull requests for changes likely to break downstream consumers — and generates plain-English migration notes so nobody gets surprised on release day.
Why?
Every library maintainer has lived this nightmare: you merge a PR, cut a release, and within hours your issue tracker fills up with reports from projects that depended on the function you renamed, the config key you removed, or the default you changed.
Downstream Breakage Radar catches those risks before they reach main. It diffs your branch against a base ref, identifies changes that touch public API surfaces and release-critical files, and tells you — in plain English — what downstream users will need to do.
No external dependencies. No complex setup. Just add it to your workflow and ship with confidence.
✨ Features
- 🔍 Automatic surface detection — flags changes to
src/,lib/,api/,schemas/,proto/, OpenAPI specs, and more - 📦 Package manifest awareness — catches edits to
pyproject.toml,package.json,Cargo.toml,go.mod,pom.xml, etc. - 📝 Migration notes — every finding includes a human-readable note explaining what to review
- 🎯 Risk scoring — summarizes overall risk level (
none/low/medium/high) at a glance - 🚨 Dependency Mismatch Detection — automatically flags missing imports (critical) or declared-but-unused packages in manifests
- 📊 Custom SVG Badges — generates a clean
breakage-radar-badge.svgrepresenting the overall risk level for your PRs - ⚠️ API Deprecation Awareness — automatically downgrades severity of removals if the code was marked as deprecated first
- 🛡️ SARIF Format — supports standardized SARIF output for GitHub's native Security/Code Scanning dashboard integration
- 📝 API Changelog Generator — generates a clean markdown changelog of all public additions, removals, and changes
- ⚙️ In-Manifest Configuration — manage rules, ignored paths, and custom directories directly inside
pyproject.tomlorbreakage-radar.json - 🖥️ Dual mode — runs as a GitHub Action in CI or locally as a CLI
- 📊 Multiple output formats — plain text, JSON, markdown PR comments, SARIF, or GitHub Actions annotations
- 🪶 Zero dependencies — pure Python, nothing to install beyond the standard library
🚀 Quick Start
As a GitHub Action (recommended)
Add this to .github/workflows/breakage-radar.yml:
name: Breakage Radar
on:
pull_request:
jobs:
scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Scan for breaking changes
uses: Tahiram32/downstream-breakage-radar@main
with:
base-ref: origin/main
format: markdown
fail-on: high
As a CLI
# Install from source
pip install git+https://github.com/Tahiram32/downstream-breakage-radar.git
# Scan the current repo against origin/main
breakage-radar --repo . --base origin/main
# Get JSON output for CI tooling
breakage-radar --repo . --base origin/main --format json
Or run directly as a module:
python -m downstream_breakage_radar.cli --repo . --base origin/main
📋 Example Output
Text format
Risk level: medium
Changed files: 4
Findings: 3
- [medium] src/api/client.py: Change touches a likely public surface or release-critical file.
Migration note: Review for API compatibility, config drift, and release notes before merging.
- [low] src/api/client.py: Source code change may affect downstream consumers.
Migration note: Check for renamed symbols, changed defaults, and behavior shifts.
- [medium] pyproject.toml: Change touches a likely public surface or release-critical file.
Migration note: Review for API compatibility, config drift, and release notes before merging.
JSON format
{
"change_count": 4,
"changed_files": [
"src/api/client.py",
"pyproject.toml",
"docs/guide.md",
"tests/test_client.py"
],
"finding_count": 3,
"findings": [
{
"message": "Change touches a likely public surface or release-critical file.",
"migration_note": "Review for API compatibility, config drift, and release notes before merging.",
"path": "src/api/client.py",
"severity": "medium"
}
],
"risk_level": "medium"
}
⚙️ Configuration
| Input | Default | Description |
|---|---|---|
--repo |
. |
Path to the Git repository to scan |
--base |
origin/main |
Base ref to diff against (branch, tag, or commit SHA) |
--format |
text |
Output format: text for human-readable, json for machine-readable |
--fail-on |
high |
The risk level at which to exit with code 1 |
--draft-release |
false |
Automatically draft a GitHub release using the gh CLI |
Ignore Files
Create a .breakageignore file in the root of your repository to specify glob patterns for paths you want the scanner to completely ignore (e.g. src/internal_scripts/* or *_test.py).
GitHub Action inputs
When using as a GitHub Action, pass configuration via the with keyword. The action requires fetch-depth: 0 on checkout so the full git history is available for diffing.
🔬 How It Works
- Diff — runs
git diff --name-only <base-ref>...HEADto get the list of changed files - Classify — checks each path against known risky patterns:
- Path markers:
src/,lib/,app/,api/,public/,include/,internal/,pkg/,schemas/,proto/,openapi - Package manifests:
pyproject.toml,package.json,Cargo.toml,go.mod,pom.xml,build.gradle, and more - Source extensions:
.py,.ts,.js,.go,.rs,.java,.kt,.cs
- Path markers:
- Score — assigns severity (
lowfor source changes,mediumfor public surface / manifest changes) - Report — generates a summary with per-file findings and plain-English migration notes
🗺️ Roadmap
- Diff-aware API surface detection (AST-level analysis)
- Language-specific adapters for smarter risk scoring (Python, Go, JS/TS)
- Automated release-note drafting
- Downstream repository impact hints
-
fail-onthreshold to block PRs above a risk level - SARIF output for GitHub Security tab integration
- Native GitHub inline annotations (Workflow Commands)
🤝 Contributing
Contributions are welcome! Please read CONTRIBUTING.md for guidelines on setting up the dev environment, running tests, and submitting pull requests.
This project follows the Contributor Covenant Code of Conduct.
📄 License
This project is licensed under the MIT License — see the LICENSE file for details.
❤️ Sponsor This Project
Downstream Breakage Radar is free, open-source software maintained in spare time. Sponsorship directly funds:
- 🛠️ New features from the roadmap (AST analysis, language adapters, SARIF output)
- 🐛 Bug fixes and maintenance to keep the tool reliable
- 📖 Documentation and examples to help more teams adopt it
- 🌍 Community support — answering issues, reviewing PRs, and growing the ecosystem
If this tool saves your team from a breaking release, consider supporting its development:
→ Sponsor @Tahiram32 on GitHub
Every contribution — no matter the size — helps keep this project alive and moving forward. Thank you! 🙏
Project details
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file downstream_breakage_radar-0.5.0.tar.gz.
File metadata
- Download URL: downstream_breakage_radar-0.5.0.tar.gz
- Upload date:
- Size: 25.8 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.13.5
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
a5201280ed384c2ebb97fcb1cec65f2200205de059090be2012100de508db572
|
|
| MD5 |
70e6d54097bf659a3c7dbd83a8624348
|
|
| BLAKE2b-256 |
19f6cc10e43b4ecfd16bf10fe7be9460fde31b9610f050a07c80b1264b934cac
|
File details
Details for the file downstream_breakage_radar-0.5.0-py3-none-any.whl.
File metadata
- Download URL: downstream_breakage_radar-0.5.0-py3-none-any.whl
- Upload date:
- Size: 27.7 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.13.5
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
9970107b430bcc619e1000407cb36a456a64a4ec94969636b60fbb809db480f6
|
|
| MD5 |
60b47e236df6c05c2f49d0a5eb482ff9
|
|
| BLAKE2b-256 |
6efe4a3a08427ef3cda378e8a72c1d98f7f3a3aa80361fe9f6b62fe669cd6b01
|