GitHub Actions Pre-deploy Scan

Automatically scan your preview deployment before every PR merge. Get a comment with PageSpeed, security, SSL and SEO results — right on the pull request.

How it works

When a pull request is opened or updated, SiteBrief scans the preview URL and posts a comment with results directly on the PR. Your team sees performance, security headers, SSL and SEO status before anything reaches production.

ℹ️

Note:This requires a preview deployment URL — works out of the box with Vercel, Netlify, Render and any platform that creates a preview URL per PR.

Step 1 — Get your API key

Go to Settings → API Keys in your SiteBrief dashboard and create a new key. Copy the key — you will only see it once.

Add it as a GitHub Actions secret in your repo: Settings → Secrets → Actions → New secret. Name it SITEBRIEF_API_KEY.

Step 2 — Add the workflow

Create .github/workflows/sitebrief.yml in your repository:

Vercel preview deployments

name: SiteBrief Pre-deploy Scan

on:
  pull_request:
    types: [opened, synchronize, reopened]

jobs:
  sitebrief:
    runs-on: ubuntu-latest
    permissions:
      pull-requests: write

    steps:
      - name: Wait for Vercel preview
        uses: patrickedqvist/wait-for-vercel-preview@v1.3.1
        id: vercel
        with:
          token: ${{ secrets.GITHUB_TOKEN }}
          max_timeout: 60

      - name: SiteBrief scan
        id: scan
        run: |
          RESULT=$(curl -s -X POST https://sitebrief.net/api/scan/preview \
            -H "Authorization: Bearer ${{ secrets.SITEBRIEF_API_KEY }}" \
            -H "Content-Type: application/json" \
            -d '{"url": "${{ steps.vercel.outputs.url }}"}')
          echo "markdown<<EOF" >> $GITHUB_OUTPUT
          echo "$RESULT" | jq -r '.markdown' >> $GITHUB_OUTPUT
          echo "EOF" >> $GITHUB_OUTPUT

      - name: Post PR comment
        uses: marocchino/sticky-pull-request-comment@v2
        with:
          message: ${{ steps.scan.outputs.markdown }}

Netlify preview deployments

name: SiteBrief Pre-deploy Scan

on:
  pull_request:
    types: [opened, synchronize, reopened]

jobs:
  sitebrief:
    runs-on: ubuntu-latest
    permissions:
      pull-requests: write

    steps:
      - name: Wait for Netlify preview
        uses: probablyup/wait-for-netlify-action@3.2.0
        id: netlify
        with:
          site-id: ${{ secrets.NETLIFY_SITE_ID }}
          max-timeout: 60

      - name: SiteBrief scan
        id: scan
        run: |
          RESULT=$(curl -s -X POST https://sitebrief.net/api/scan/preview \
            -H "Authorization: Bearer ${{ secrets.SITEBRIEF_API_KEY }}" \
            -H "Content-Type: application/json" \
            -d '{"url": "${{ steps.netlify.outputs.deploy-url }}"}')
          echo "markdown<<EOF" >> $GITHUB_OUTPUT
          echo "$RESULT" | jq -r '.markdown' >> $GITHUB_OUTPUT
          echo "EOF" >> $GITHUB_OUTPUT

      - name: Post PR comment
        uses: marocchino/sticky-pull-request-comment@v2
        with:
          message: ${{ steps.scan.outputs.markdown }}

Manual URL (any platform)

If your CI already knows the preview URL, pass it directly:

- name: SiteBrief scan
  id: scan
  run: |
    RESULT=$(curl -s -X POST https://sitebrief.net/api/scan/preview \
      -H "Authorization: Bearer ${{ secrets.SITEBRIEF_API_KEY }}" \
      -H "Content-Type: application/json" \
      -d '{"url": "https://preview-${{ github.event.pull_request.number }}.myapp.com"}')
    echo "markdown<<EOF" >> $GITHUB_OUTPUT
    echo "$RESULT" | jq -r '.markdown' >> $GITHUB_OUTPUT
    echo "EOF" >> $GITHUB_OUTPUT

Step 3 — Example PR comment

After setup, every PR automatically gets a comment like this:

## 🔍 SiteBrief Pre-deploy Scan

**URL:** `https://preview-42.myapp.com`
**Scanned:** Fri, 30 May 2026 14:22:11 UTC

| Check | Status | Details |
|-------|--------|---------|
| PageSpeed | ✅ pass | Score: 87/100 |
| Security Headers | ⚠️ warn | Grade C — missing: X-Frame-Options, CSP |
| SSL | ✅ pass | Valid certificate |
| SEO Meta | ✅ pass | ✓ title, ✓ description |

**⚠️ Warnings — 2 passed, 1 warning, 0 failed**

> 💡 Fix these issues automatically with DevLab →

API reference

POST /api/scan/preview

Runs a full pre-deploy scan on any URL.

curl -X POST https://sitebrief.net/api/scan/preview \
  -H "Authorization: Bearer sp_live_your_key" \
  -H "Content-Type: application/json" \
  -d '{
    "url": "https://preview.your-site.com",
    "checks": ["pagespeed", "security", "ssl", "seo"]
  }'

Parameters:

url (required) — the preview URL to scan
checks (optional) — array of checks to run. Default: all four. Options: pagespeed, security, ssl, seo

Response:

{
  "url": "https://preview.your-site.com",
  "scanned_at": "2026-05-30T14:22:11.000Z",
  "checks": {
    "pagespeed": { "score": 87, "status": "pass" },
    "security":  { "grade": "C", "missing": ["X-Frame-Options"], "status": "warn" },
    "ssl":       { "valid": true, "status": "pass" },
    "seo":       { "title": true, "description": true, "status": "pass" }
  },
  "passed": 3,
  "warned": 1,
  "failed": 0,
  "summary": "⚠️ Warnings — 3 passed, 1 warning, 0 failed",
  "markdown": "## 🔍 SiteBrief Pre-deploy Scan\n..."
}

FAQ

Does it block merging if checks fail?

By default no — the scan posts a comment but does not block the PR. To block merging on failures, add a required status check in your branch protection rules and change the workflow step to exit with code 1 whenfailed > 0.

How long does a scan take?

Usually 10–30 seconds depending on PageSpeed API response time. The endpoint has a 45-second timeout.

Can I skip certain checks?

Yes — pass the checks array with only the checks you want:{"url": "...", "checks": ["security", "seo"]}