Skip to content
Latchkey

How to Enforce PR Review Rules With Danger JS

Danger JS runs a dangerfile.js against the PR and posts warnings or fails the build when your rules are violated.

Write rules in dangerfile.js using the danger API (added/modified files, PR metadata), then run npx danger ci in a workflow with DANGER_GITHUB_API_TOKEN set to the built-in token.

Steps

  • Add danger as a dev dependency.
  • Write rules in dangerfile.js with warn() and fail().
  • Run npx danger ci with the GitHub token in the environment.

dangerfile.js

dangerfile.js
import { danger, warn, fail } from 'danger'

// Fail when a source change ships without a changelog entry
const hasChangelog = danger.git.modified_files.includes('CHANGELOG.md')
const hasSrcChange = danger.git.modified_files.some((f) => f.startsWith('src/'))
if (hasSrcChange && !hasChangelog) {
  fail('Please add a CHANGELOG.md entry for this change.')
}

// Warn on large diffs
const bigPR = danger.github.pr.additions + danger.github.pr.deletions > 500
if (bigPR) {
  warn('This PR is large; consider splitting it.')
}

Workflow

.github/workflows/ci.yml
jobs:
  danger:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-node@v4
        with:
          node-version: '20'
      - run: npm ci
      - run: npx danger ci
        env:
          DANGER_GITHUB_API_TOKEN: ${{ secrets.GITHUB_TOKEN }}

Gotchas

  • fail() blocks merge only if the Danger check is required in branch protection.
  • Danger needs the full git history for some helpers; set fetch-depth: 0 on checkout.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →