Repo Deck · GitHub portfolio QA · v2.1

Audit your entire GitHub.
In one dashboard.
One PR fixes them all.

Repo Deck scans every repo you own across five quality axes — tests, CI, security, code quality, docs — surfaces what's missing, and opens pull requests that fix it. Self-hosted. Your tokens. Your code never leaves your server.

Self-hosted Flask + Jinja2 OAuth or PAT Railway-ready
repodeck.berta.one/
$ repodeck scan --portfolio @luigipascal ▸ scanning 22 repositories ··················· done ▸ running 5 QA checks per repo ··············· done ▸ writing report ····························· done ┌─ Portfolio health ──────────────────────────┐ Score 68/100 ▍▍▍▍▍▍▍▌ Ready ●● 7 Needs work ●● 11 Critical ●● 4 Auto-fixable 38 └──────────────────────────────────────────────┘ repo T C S Q D score arbor ▔ ▔ ▔ ▔ ▔ 90 excelart ▔ ▔ ▔ ▔ ▔ 88 orbaos ▔ ▔ ▔ ▔ 81 github-manager ▔ ▔ ▔ 76 rondanini-publishing ▔ ▔ ▔ ▔ ▔ 48 musicglyph ▔ ▔ ▔ ▔ ▔ 29 … 16 more $ repodeck fix --auto --critical
PR opened · 2s ago
repo-deck/auto-fix → orbaos-assurance
  • add .github/workflows/ci.yml
  • add dependabot.yml
  • add SECURITY.md
  • add CODEOWNERS
Repositories 22 in the sample portfolio @luigipascal, scanned 14m ago.
Without CI 6 no test workflow on push or PR. Silent failures waiting to happen.
Missing dependabot 11 no automated dependency updates. Stale, drifting, increasingly unsafe.
Critical health 4 score under 40. Two failed checks or worse — not safe to operate.
§ 01 · The flow

Three steps from unknown sprawl to a clean, audited portfolio.

STEP 01 / CONNECT

Sign in with GitHub.

OAuth (one click) or drop a PAT into .env for headless deploys. Repo Deck reads your repo list, branches and commits via the GitHub API — never touches anything else.

GET /user/repos 200 GET /rate_limit 200 → 22 repos detected
STEP 02 / SCAN

Five weighted checks per repo.

Tests, CI/CD, security, code quality, docs — each scored 0–100, then weighted into an overall health number. Batched in groups of 10, streaming results back over NDJSON so you watch the portfolio update live.

batch 1/3 ▔▔▔▔▔▔▔▔▔▔ 10/22 batch 2/3 ▔▔▔▔▔▔▔▔▔▔ 20/22 batch 3/3 ▔▔▔▔▔▔▔▔▔▔ 22/22
STEP 03 / FIX

Pull requests that fix what's broken.

For everything auto-fixable — missing workflows, dependabot, SECURITY.md, CODEOWNERS — Repo Deck generates the file, opens a branch, and ships a PR against your default. One item or all of them, your call.

PR #142 opened repo-deck/dependabot + .github/dependabot.yml + 1 file changed, 24 +
§ 02 · The rubric

Five checks, evenly weighted. No magic. No surprises.

T

Tests & coverage

Test directory present, pytest / vitest configured, a coverage report published from CI. Score scales with reported coverage and the breadth of test discovery.

w 0.20
C

CI / CD pipeline

Workflow files on push and PR, required status checks on default branch, dependency caching, pinned action versions. Green builds count more than the presence of YAML.

w 0.20
S

Security

Dependabot enabled, no stale alerts, secret scanning on, SECURITY.md disclosure policy, no high-severity advisories outstanding for more than 14 days.

w 0.20
Q

Code quality

Linter and formatter configured, complexity under threshold, consistent style across the tree, pre-commit hooks present. Looks at config + reported violations, not vibes.

w 0.20
D

Docs & README

README beyond a one-liner, Quickstart and Configuration sections, LICENSE file, CONTRIBUTING when relevant, screenshots or a usage example. Real onboarding, not table-stakes.

w 0.20

Overall score

Weighted average. Two failed checks or a score under 40 marks the repo critical; one fail or two warnings is needs work; otherwise ready.

∑ 1.00
§ 03 · The differentiator

One PR. Every fix you need.

The audit is the easy part. The hard part is doing 12 things across 22 repos on a Tuesday. Repo Deck generates the files, opens a single PR per repo, and waits for your review.

  • CRITICAL
    .github/workflows/ci.yml Build & test on push and PR, with caching and matrix for your language. Tuned per detected stack.
  • HIGH
    dependabot.yml npm + pip + GitHub Actions ecosystems, weekly cadence, grouped minor updates.
  • HIGH
    SECURITY.md Disclosure policy with your contact email, supported versions, expected response window.
  • MEDIUM
    CODEOWNERS · PR template · gitignore · editorconfig · pre-commit The boring scaffolding that should already be there. Idempotent — Repo Deck skips files that exist and won't overwrite custom config.
repo-deck/auto-fix · #142 ● open
chore: add CI, dependabot, security policy & codeowners
+ .github/workflows/ci.yml +82
+ .github/dependabot.yml +24
+ SECURITY.md +18
+ CODEOWNERS +6
~ .gitignore +12 −0
+ .editorconfig +11
✓ all checks passed · branch repo-deck/auto-fix-2.1
§ 04 · Self-host

Your tokens. Your server. Your code never leaves it.

Repo Deck is a small Flask app — single Gunicorn worker, Jinja2 templates, vanilla JS. It runs on Railway in minutes, or anywhere Python runs in seconds. No third-party services. No analytics. No data sent anywhere but api.github.com.

  • Flask + Jinja2 + vanilla JSNo build step. No bundler. Read the source, change a template, restart Gunicorn.
  • OAuth or PATEnd-users sign in with GitHub, or set GITHUB_PAT on the server for headless / shared use.
  • Railway-readyProcfile, runtime.txt, gunicorn entrypoint, single worker so the APScheduler thread only runs once.
  • Open sourceMIT. Read every check. Fork it. Add your own rules in github_manager/qa_analyzer.py.
# clone, configure, run $ git clone https://github.com/luigipascal/github-manager $ cd github-manager $ cp .env.template .env # add one of these to .env GITHUB_PAT="ghp_…" # shared / headless # or OAuth for end-user sign-in GITHUB_OAUTH_CLIENT_ID="…" GITHUB_OAUTH_CLIENT_SECRET="…" GITHUB_OAUTH_REDIRECT_URI="https://…/oauth/callback" # run it $ pip install -r requirements.txt $ gunicorn app_github_manager:app # or local dev $ python app_github_manager.py → http://localhost:5000
§ 05 · Common questions

Questions we get asked. Answered honestly.

Does Repo Deck write to my repositories without consent?

No. Reads are read-only against the GitHub API. Writes only happen when you click Fix or Fix all, and they go out as pull requests against your default branch — never direct commits. You review every change before it merges.

Will it work with private repos and organizations?

Yes. With OAuth, Repo Deck inherits whatever access your user has. With a PAT, scope it to repo for full access or public_repo for public-only. Org repos require either an org-installed GitHub App or a member with org access.

How is the overall score actually computed?

Weighted average of the five sub-scores (each 0–100, currently equal-weighted at 0.20). Two failed checks or an overall under 40 marks the repo critical; one fail or two warnings is needs work; everything else is ready. All thresholds live in github_manager/qa_analyzer.py and are one-line changes.

Can I add my own checks?

Yes. Subclass QAAnalyzer or drop a function into the checks registry — Repo Deck calls each check with the scanned repo dict and expects a (score, status, recommendations) tuple back. Same shape, same dashboard, same auto-fix hooks.

What about GitHub API rate limits?

Built in. The dashboard surfaces your remaining budget in the top bar; scans run batched (default 10 repos per batch) and back off automatically when you cross 30%. Caching is enabled by default with a per-endpoint TTL — clear it from the UI with Refresh.

Does it phone home? Telemetry? Analytics?

No outbound calls except api.github.com. No analytics. The only data Repo Deck stores is a small SQLite cache for scan results — and it sits on your server, mounted on your volume.

How much does it cost?

Free. MIT-licensed. Built originally to QA Berta's own 130+ repo portfolio; we kept it tidy enough to ship. The only cost is the box you run it on — Railway's free tier handles a portfolio of a few hundred repos comfortably.

Bring order to your GitHub

Stop wondering which repo
is the silent landmine.

Five minutes to install. Three minutes to scan. Pull requests waiting by the time the coffee's ready.