Codacy GitHub Actions: Static Analysis, Coverage Reporting, and CLI Integration

The integration of automated code quality tools into continuous integration and continuous deployment (CI/CD) pipelines is a critical component of modern software engineering. Codacy provides a suite of GitHub Actions designed to automate code review, ensuring that development teams maintain high standards of code quality across more than 40 supported programming languages. These actions facilitate static analysis, coverage reporting, and the execution of client-side tools, allowing for comprehensive quality control directly within the GitHub ecosystem. By leveraging these tools, organizations can enforce specific quality rules, code patterns, and settings to prevent issues from entering the main codebase.

The primary mechanisms for this integration include the Codacy Analysis CLI Action, which performs static analysis and can integrate with GitHub Code Scanning; the Codacy Coverage Reporter Action, which uploads coverage data to track test effectiveness; and the Codacy CLI v2 Action, which supports specific client-side tools like ESLint. Each of these actions requires proper configuration, particularly regarding authentication tokens and workflow definitions, to function effectively.

Static Code Analysis with Codacy Analysis CLI

The Codacy Analysis CLI Action serves as the primary mechanism for running static analysis on repositories. It supports over 40 languages, including PHP, JavaScript, Python, Java, and Ruby. This action analyzes code to identify issues and returns results that can be used to enforce quality standards. The tool is designed to fit into various workflow scenarios, offering flexibility in how analysis results are handled and displayed.

By default, when the Codacy GitHub Action is employed with default settings, it performs a comprehensive analysis of each commit or pull request. It runs all supported static code analysis tools for the languages detected in the repository. The results of this analysis are printed to the console, making them visible in the GitHub Action's workflow panel. A critical feature of the default configuration is that the workflow will fail if at least one issue is found in the code. This behavior ensures that code quality violations are addressed before merging.

To implement the action with default settings, developers must create a workflow file, typically named .github/workflows/codacy-analysis.yaml. The configuration triggers on push events and utilizes the codacy/codacy-analysis-cli-action@master action after checking out the code.

yaml name: Codacy Analysis CLI on: ["push"] jobs: codacy-analysis-cli: name: Codacy Analysis CLI runs-on: ubuntu-latest steps: - name: Checkout code uses: actions/checkout@main - name: Run Codacy Analysis CLI uses: codacy/codacy-analysis-cli-action@master

Beyond the default console output, the action supports two distinct integration scenarios that alter how results are processed and displayed. The first is the integration with GitHub Code Scanning. In this mode, the action analyzes each commit and pull request to the master or main branch by running all supported static analysis tools. The results are uploaded to GitHub, where they are displayed under the repository's Security tab, specifically within the Code scanning alerts page. This provides a centralized location for security-related code issues within the GitHub interface.

The second integration scenario is the integration with Codacy for client-side tools. This mode analyzes each commit and pull request using one of Codacy's client-side tools and uploads the results to the Codacy platform. The results are then displayed in Codacy's UI dashboards. Additionally, this integration can report the status of the analysis directly on GitHub pull requests, providing immediate feedback to developers.

Configuring Codacy Integration for Client-Side Tools

To utilize the Codacy integration for client-side tools, specific configurations must be performed both within the Codacy platform and in the GitHub Actions workflow. On the Codacy side, users must enable the containerized client-side tool and configure the corresponding code patterns on the repository's Code patterns page. This step allows teams to define custom quality rules, code patterns, and quality settings to enforce specific standards.

Furthermore, within the Codacy repository settings, under the General tab and Repository analysis section, the option "Run analysis through build server" must be enabled. This setting is crucial because it instructs Codacy to wait for the results of the local analysis performed by the GitHub Action before resuming its own analysis of the commits. This synchronization ensures that the results uploaded from the build server are incorporated into the final quality report.

Authentication is required for the GitHub Action to communicate with Codacy. This is achieved by setting up an API token. The approach to token management depends on the scope of the integration:

  • For a single repository, a project API token should be obtained and stored as an encrypted secret in the GitHub repository with the name CODACY_PROJECT_TOKEN.
  • For multiple repositories, an account API token should be obtained and stored as an encrypted secret at the organization level with the name CODACY_API_TOKEN.

Security is paramount when handling these tokens. API tokens grant owner permissions to projects on Codacy. Therefore, they must never be written directly to configuration files. Instead, they must be kept well-protected using GitHub's secret management features to prevent unauthorized access.

Tracking Code Coverage with Codacy Coverage Reporter

While static analysis focuses on code quality and potential bugs, code coverage metrics provide insight into the effectiveness of the test suite. The Codacy Coverage Reporter Action uploads coverage reports to Codacy on all commits and pull requests. This functionality allows teams to track code coverage trends over time via the Codacy UI.

After setting up the action, users can optionally enable status checks on pull requests. This feature acts as a guardrail to prevent the addition of untested code or a decrease in overall coverage. If coverage drops below a defined threshold or if new code is introduced without corresponding tests, the status check can fail, blocking the merge until the issue is resolved.

Prerequisites for using the Coverage Reporter Action include having tests in place and using tools that generate coverage reports for the source code files in the repository. The action itself does not generate coverage reports; it only uploads them. Therefore, the CI pipeline must first execute the test suite and produce a coverage report in a format supported by Codacy before the reporter action can be invoked.

Authentication for the Coverage Reporter Action follows the same protocol as the Analysis CLI. Developers must set up an API token to allow the action to authenticate with Codacy. The token storage strategy mirrors the analysis setup:

  • For a single repository, obtain a project API token and store it as an encrypted secret for the repository with the name CODACY_PROJECT_TOKEN.
  • For multiple repositories, obtain an account API token and store it as an encrypted secret for the organization with the name CODACY_API_TOKEN.

As with the analysis action, never write API tokens to configuration files. These tokens grant owner permissions and must be kept secure.

Advanced Analysis with Codacy CLI v2 Action

For teams requiring more granular control over the analysis process, particularly with specific client-side tools, the Codacy CLI v2 Action offers an alternative approach. This action utilizes the codacy-cli-v2 command-line tool, which supports analyzing code and uploading results in SARIF (Static Analysis Results Interchange Format) to Codacy.

Currently, the codacy-cli-v2 tool only supports the eslint tool for analysis. This makes it particularly relevant for JavaScript and TypeScript projects where ESLint is the standard linter. The tool provides two main commands: analyze and upload.

To use the codacy-cli-v2-action, several prerequisites must be met:

  • A repository must exist on both GitHub and Codacy.
  • A project token is required for authentication.
  • A valid codacy-cli-v2 configuration file is needed. This is usually achieved by running codacy-cli-v2 init in the root of the repository.
  • If the intention is to upload the report to Codacy, the upload_report input must be set to true. Additionally, the flag "Run analysis on your build server" must be enabled in the repository settings on Codacy.

The workflow configuration for this action differs slightly from the standard analysis action. It requires specifying the tool to use for analysis. Below is an example of how to configure the codacy-cli-v2-action in a GitHub workflow:

yaml steps: # ... - name: Run Codacy CLI uses: codacy/codacy-cli-v2-action@main with: project_token: ${{ secrets.CODACY_PROJECT_TOKEN }} tool: eslint upload_report: true # ...

The action accepts several inputs to configure its behavior. The project_token is required and corresponds to the project token for the Codacy project. The tool input is also required and specifies the tool to use for analysis, such as eslint. The upload_report input determines whether the analysis results are uploaded to Codacy.

Synthesis of Integration Strategies

The choice between the Codacy Analysis CLI Action, the Coverage Reporter Action, and the CLI v2 Action depends on the specific needs of the development team. The Analysis CLI Action is the most general-purpose tool, suitable for teams looking to automate static analysis across multiple languages with minimal configuration. Its integration with GitHub Code Scanning provides a seamless experience for developers who prefer to view security alerts within the GitHub interface.

For teams that rely heavily on custom linting rules or specific client-side tools like ESLint, the CLI v2 Action offers greater flexibility. However, its current limitation to ESLint means it is best suited for JavaScript/TypeScript projects. The requirement to initialize the CLI and manage configuration files adds a layer of complexity compared to the default analysis action.

The Coverage Reporter Action complements the analysis tools by ensuring that test coverage is monitored and maintained. By enabling status checks, teams can enforce a policy that prevents the degradation of test coverage over time. This is particularly important for large codebases where untested code can introduce subtle bugs that static analysis might not catch.

Authentication and security are common threads across all three actions. The use of encrypted secrets for API tokens is mandatory to prevent security breaches. Teams should carefully consider whether to use project-level tokens for individual repositories or account-level tokens for organization-wide consistency. The latter simplifies management for large organizations but requires careful handling of permissions.

Conclusion

Codacy's GitHub Actions provide a robust framework for automating code quality and coverage checks within the CI/CD pipeline. By leveraging the Analysis CLI Action, teams can enforce static analysis rules across more than 40 languages, with options to integrate results into GitHub Code Scanning or Codacy's UI. The Coverage Reporter Action ensures that test coverage is tracked and maintained, preventing the introduction of untested code. For specific use cases, particularly with ESLint, the CLI v2 Action offers specialized analysis capabilities.

Proper configuration of these tools, including the secure management of API tokens and the alignment of Codacy settings with GitHub workflows, is essential for their effective deployment. The ability to define custom quality rules and patterns allows teams to tailor the analysis to their specific standards. As codebases grow in complexity, the automated enforcement of quality standards through these actions becomes increasingly vital for maintaining code health and developer productivity.

Sources

  1. Codacy Analysis CLI
  2. Codacy Coverage Reporter
  3. Codacy Coverage Reporter Action
  4. Codacy CLI v2 Action

Related Posts