GitHub Actions

Edit pageLast modified: 05 March 2025

The Qodana Scan GitHub action allows you to run Qodana in a GitHub repository.

Prepare your project

Qodana Cloud

All configuration examples in this section use a project token generated by Qodana Cloud. This token is required for the paid Qodana linters and optional for use with the Community linters. You can see these sections to learn how to generate the project token in the Qodana Cloud UI:

  • The project setup section explains how to generate a project token when first working with Qodana Cloud.

  • The Manage a project section explains how to create a project token within an existing Qodana Cloud organization.

Once you obtain the project token, you can use the QODANA_TOKEN variable for identifying in a pipeline or workflow.

If you are using a Qodana Cloud instance other than https://qodana.cloud/, override it by setting the QODANA_ENDPOINT environment variable.

Basic configuration

note

fetch-depth: 0 is required for checkout in case Qodana works in pull request mode (reports issues that appeared only in that pull request).

We recommend that you have a separate workflow file for Qodana because different jobs run in parallel

Quick-fixes

To automatically fix issues found by Qodana and push the changes to your repository, follow the procedure below.

This is an example configuration snippet containing all options:

permissions:
  contents: write
  pull-requests: write
  checks: write
steps:
  - name: 'Qodana Scan'
    uses: JetBrains/qodana-action@v2024.3
    with:
      args: --apply-fixes
      push-fixes: pull-request
    env:
      QODANA_TOKEN: ${{ secrets.QODANA_TOKEN }}

tip

Note Qodana could automatically modify not only the code, but also the configuration in .idea: if you do not wish to push these changes, add .idea to your .gitignore file.

GitHub code scanning

You can set up GitHub code scanning for your project using Qodana. To do this, add these lines to the code_quality.yml workflow file right below the basic configuration of Qodana Scan:

- uses: github/codeql-action/upload-sarif@v2
  with:
    sarif_file: ${{ runner.temp }}/qodana/results/qodana.sarif.json

This sample invokes the codeql-action for uploading a SARIF-formatted Qodana report to GitHub, and specifies the report file using the sarif_file key.

tip

GitHub code scanning does not export inspection results to third-party tools, which means that you cannot use this data for further processing by Qodana. In this case, you have to set up a baseline and quality gate processing on the Qodana side before submitting inspection results to GitHub code scanning, see the Baseline and quality gate section for details.

Pull request quality gate

You can configure GitHub to block the merging of pull requests if a quality gate has failed. To do this, create a branch protection rule as described below:

Baseline and quality gate

Baseline

Follow these steps to establish a baseline for your project:

To update your baseline, you need to repeat these steps once more.

From this point onward, GitHub will generate alerts only for problems that were not included in the baseline as new issues.

Quality gate

To establish a quality gate, in the workflow configuration specify the --fail-threshold option:

- name: Qodana Scan
  uses: JetBrains/qodana-action@v2024.3
  with:
    args: --fail-threshold,<number-of-accepted-problems>
  env:
    QODANA_TOKEN: ${{ secrets.QODANA_TOKEN }}

Combined configuration

You can combine the baseline and quality gate features to manage your technical debt, report only new problems, and block pull requests that contain too many problems. Using this configuration, you will be able to detect only new problems in pull requests that fall beyond the baseline.

- name: Qodana Scan
  uses: JetBrains/qodana-action@v2024.3
  with:
    args: --baseline,qodana.sarif.json,--fail-threshold,<number-of-accepted-problems>
  env:
    QODANA_TOKEN: ${{ secrets.QODANA_TOKEN }}

At the same time, pull requests with new problems exceeding the --fail-threshold limit will be blocked, and the workflow will fail.

Get a Qodana badge

You can set up a Qodana workflow badge in your repository, to do it, follow these steps:

Configuration

Most likely, you won't need other options than args: all other options can be helpful if you are configuring multiple Qodana Scan jobs in one workflow.

Use with to define any action parameters:

with:
  args: --baseline,qodana.sarif.json
  cache-default-branch-only: true

Name

Description

Default Value

args

Additional Qodana CLI scan command arguments, split the arguments with commas (,), for example -i,frontend,--print-problems. Optional.

-

results-dir

Directory to store the analysis results. Optional.

${{ runner.temp }}/qodana/results

upload-result

Upload Qodana results (SARIF, other artifacts, logs) as an artifact to the job. Optional.

false

artifact-name

Specify Qodana results artifact name, used for results uploading. Optional.

qodana-report

cache-dir

Directory to store Qodana cache. Optional.

${{ runner.temp }}/qodana/caches

use-caches

Utilize GitHub caches for Qodana runs. Optional.

true

primary-cache-key

Set the primary cache key. Optional.

qodana-2024.3-${{ github.ref }}-${{ github.sha }}

additional-cache-key

Set the additional cache key. Optional.

qodana-2024.3-${{ github.ref }}

cache-default-branch-only

Upload cache for the default branch only. Optional.

false

use-annotations

Use annotation to mark the results in the GitHub user interface. Optional.

true

pr-mode

Analyze ONLY changed files in a pull request. Optional.

true

post-pr-comment

Post a comment with the Qodana results summary to the pull request. Optional.

true

github-token

GitHub token to access the repository: post annotations, comments. Optional.

${{ github.token }}

push-fixes

Push Qodana fixes to the repository, can be none, branch to the current branch, or pull-request. Optional.

none