Qodana Scan GitHub action

Usage

Basic configuration

To configure Qodana Scan, save the .github/workflows/code_quality.yml file containing the workflow configuration:

name: Qodana
on:
  workflow_dispatch:
  pull_request:
  push:
    branches:
      - main
      - 'releases/*'

jobs:
  qodana:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      - name: 'Qodana Scan'
        uses: JetBrains/qodana-action@v5.0.2

Using this workflow, Qodana will run on the main branch, release branches, and on the pull requests coming to your repository.

We recommend that you have a separate workflow file for Qodana because different jobs run in parallel.

GitHub code scanning

You can set up GitHub code scanning for your project using Qodana. To do it, add these lines to the code_quality.yml workflow file right below the basic configuration of Qodana Scan:

      - uses: github/codeql-action/upload-sarif@v1
        with:
          sarif_file: ${{ runner.temp }}/qodana/results/qodana.sarif.json

This sample invokes codeql-action for uploading a SARIF-formatted Qodana report to GitHub, and specifies the report file using the sarif_file key.

Pull request quality gate

You can enforce GitHub to block the merge of pull requests if the Qodana quality gate has failed. To do it, create a branch protection rule as described below:

Create a new or open an existing GitHub workflow that invokes the Qodana Scan action.
Set the workflow to run on pull_request events that target the main branch.

on:
  pull_request:
    branches:
      - main

Instead of main, you can specify your branch here.

Set the number of problems (integer) for the Qodana action fail-threshold option.
Under your repository name, click Settings.
On the left menu, click Branches.
In the branch protection rules section, click Add rule.
Add main to Branch name pattern.
Select Require status checks to pass before merging.
Search for the Qodana status check, then check it.
Click Create.

Quality gate and baseline

You can combine the quality gate and baseline features to manage your technical debt, report only new problems, and block pull requests that contain too many problems.

Follow these steps to establish a baseline for your project:

Run Qodana locally over your project:

cd <source-directory>
qodana scan --show-report

Open your report at http://localhost:8080/, add detected problems to the baseline, and download the qodana.sarif.json file.
Upload the qodana.sarif.json file to your project root folder on GitHub.
Append this line to the Qodana Scan action configuration in the code_quality.yml file:

baseline-path: qodana.sarif.json

If you want to update the baseline, you need to repeat these steps once again.

Starting from this, GitHub will generate alters only for the problems that were not added to the baseline as new.

To establish a quality gate additionally to the baseline, add this line to code_quality.yml right after the baseline-path line:

fail-threshold: <number-of-accepted-problems>

Based on this, you will be able to detect only new problems in pull requests that fall beyond the baseline. At the same time, pull requests with new problems exceeding the fail-threshold limit will be blocked and the workflow will fail.

GitHub Pages

If you wish to study Qodana reports directly on GitHub, you can host them on your GitHub Pages repository using this example workflow:

      - name: Deploy to GitHub Pages
        uses: peaceiris/actions-gh-pages@v3
        with:
          github_token: ${{ secrets.GITHUB_TOKEN }}
          publish_dir: ${{ runner.temp }}/qodana/results/report
          destination_dir: ./

Get a Qodana badge

You can set up a Qodana workflow badge in your repository, to do it, follow these steps:

Navigate to the workflow run that you previously configured.
On the workflow page, select Create status badge.
Copy the Markdown text to your repository README file.

Configuration

Most likely you won't need other options than args: all other options can be useful if you are configuring multiple Qodana Scan jobs in one workflow.

Name	Description	Default Value
`args`	Additional Qodana CLI `scan` command arguments, split the arguments with commas (`,`), for example `-i,frontend,--print-problems`. Optional.	-
`results-dir`	Directory to store the analysis results. Optional.	`${{ runner.temp }}/qodana/results`
`upload-result`	Upload Qodana results as an artifact to the job. Optional.	`true`
`artifact-name`	Specify Qodana results artifact name, used for results uploading. Optional.	`qodana-report`
`cache-dir`	Directory to store Qodana cache. Optional.	`${{ runner.temp }}/qodana/caches`
`use-caches`	Utilize GitHub caches for Qodana runs. Optional.	`true`
`additional-cache-hash`	Allows customizing the generated cache hash. Optional.	`${{ github.sha }}`
`use-annotations`	Use annotation to mark the results in the GitHub user interface. Optional.	`true`
`github-token`	GitHub token to be used for uploading results. Optional.	`${{ github.token }}`

Last modified: 12 May 2022