GitHub Actions
The Qodana Scan GitHub action allows you to run Qodana in a GitHub repository.
Prepare your project
Qodana Cloud
All configuration examples in this section use a project token generated by Qodana Cloud. This token is required for the paid Qodana linters and optional for use with the Community linters. You can see these sections to learn how to generate the project token in the Qodana Cloud UI:
The project setup section explains how to generate a project token when first working with Qodana Cloud.
The Manage a project section explains how to create a project token within an existing Qodana Cloud organization.
Once you obtain the project token, you can use the QODANA_TOKEN
variable for identifying in a pipeline or workflow.
If you are using a Qodana Cloud instance other than https://qodana.cloud/
, override it by setting the QODANA_ENDPOINT
environment variable.
Basic configuration
On the
tab of the GitHub UI, create theQODANA_TOKEN
encrypted secret and save the project token as its value. If you are using a Qodana Cloud instance other than https://qodana.cloud/, override it by declaring theQODANA_ENDPOINT
environment variable.On the
tab of the GitHub UI, set up a new workflow and create the.github/workflows/code_quality.yml
file.To inspect the
main
andmaster
branches, as well as release branches and the pull requests coming to your repository, save this workflow configuration to the.github/workflows/code_quality.yml
file:name: Qodana on: workflow_dispatch: pull_request: push: branches: # Specify your branches here - main # The 'main' branch - master # The 'master' branch - 'releases/*' # The release branches jobs: qodana: runs-on: ubuntu-latest permissions: contents: write pull-requests: write checks: write steps: - uses: actions/checkout@v3 with: ref: ${{ github.event.pull_request.head.sha }} # to check out the actual pull request commit, not the merge commit fetch-depth: 0 # a full history is required for pull request analysis - name: 'Qodana Scan' uses: JetBrains/qodana-action@v2024.3 env: QODANA_TOKEN: ${{ secrets.QODANA_TOKEN }}
We recommend that you have a separate workflow file for Qodana because different jobs run in parallel
Quick-fixes
To automatically fix issues found by Qodana and push the changes to your repository, follow the procedure below.
Choose the quick-fix strategy using either of two configuration methods:
# Possible values: apply | cleanup fixesStrategy: apply# Possible values: --apply-fixes | --cleanup args: --apply-fixesDepending on your needs, configure the
push-fixes
option of your workflow configuration:Save this configuration to create a new branch with fixes and a pull request to the original branch:
push-fixes: pull-requestAlso, enable GitHub Actions to create and approve pull requests.
Save this configuration to push fixes to the original branch:
push-fixes: branch pr-mode: falseSet the correct permissions for the job, for example:
permissions: contents: write pull-requests: write checks: write
This is an example configuration snippet containing all options:
GitHub code scanning
You can set up GitHub code scanning for your project using Qodana. To do this, add these lines to the code_quality.yml
workflow file right below the basic configuration of Qodana Scan:
This sample invokes the codeql-action
for uploading a SARIF-formatted Qodana report to GitHub, and specifies the report file using the sarif_file
key.
Pull request quality gate
You can configure GitHub to block the merging of pull requests if a quality gate has failed. To do this, create a branch protection rule as described below:
Create a new or open an existing GitHub workflow that invokes the Qodana Scan action.
Set the workflow to run on
pull_request
events that target themain
branch:on: pull_request: branches: - mainInstead of
main
, you can specify your branch here.Set the number of problems (integer) for the Qodana action
fail-threshold
option.Under your repository name, click
.On the left menu, click
.In the branch protection rules section, click
.Add
main
to .Select
.Search for the
Qodana
status check, then check it.Click
.
Baseline and quality gate
Baseline
Follow these steps to establish a baseline for your project:
Run Qodana locally on your project:
cd project qodana scan \ -e QODANA_TOKEN="<cloud-project-token>"In Qodana Cloud, add detected problems to the baseline and then download the
qodana.sarif.json
file.Upload the
qodana.sarif.json
file to your project root on GitHub.Append the
--baseline,qodana.sarif.json
argument to the Qodana Scan action configurationargs
parameter in thecode_quality.yml
file:- name: Qodana Scan uses: JetBrains/qodana-action@main with: args: --baseline,qodana.sarif.json
To update your baseline, you need to repeat these steps once more.
From this point onward, GitHub will generate alerts only for problems that were not included in the baseline as new issues.
Quality gate
To establish a quality gate, in the workflow configuration specify the --fail-threshold
option:
Combined configuration
You can combine the baseline and quality gate features to manage your technical debt, report only new problems, and block pull requests that contain too many problems. Using this configuration, you will be able to detect only new problems in pull requests that fall beyond the baseline.
At the same time, pull requests with new problems exceeding the --fail-threshold
limit will be blocked, and the workflow will fail.
Get a Qodana badge
You can set up a Qodana workflow badge in your repository, to do it, follow these steps:
Navigate to the workflow run that you previously configured.
On the workflow page, select
.Copy the Markdown text to your repository README file.
Configuration
Most likely, you won't need other options than args
: all other options can be helpful if you are configuring multiple Qodana Scan jobs in one workflow.
Use with
to define any action parameters:
Name | Description | Default Value |
---|---|---|
| Additional Qodana CLI | - |
| Directory to store the analysis results. Optional. |
|
| Upload Qodana results (SARIF, other artifacts, logs) as an artifact to the job. Optional. |
|
| Specify Qodana results artifact name, used for results uploading. Optional. |
|
| Directory to store Qodana cache. Optional. |
|
| Utilize GitHub caches for Qodana runs. Optional. |
|
| Set the primary cache key. Optional. |
|
| Set the additional cache key. Optional. |
|
| Upload cache for the default branch only. Optional. |
|
| Use annotation to mark the results in the GitHub user interface. Optional. |
|
| Analyze ONLY changed files in a pull request. Optional. |
|
| Post a comment with the Qodana results summary to the pull request. Optional. |
|
| GitHub token to access the repository: post annotations, comments. Optional. |
|
| Push Qodana fixes to the repository, can be |
|