Setting Up CI/CD for Code Quality
Automate code reviews and quality checks in your CI/CD pipeline. Catch issues before they reach production.
Why Automate Code Quality?
Manual code reviews are essential, but they can't catch everything. Automated checks run consistently, never get tired, and provide instant feedback to developers.
1. Essential CI/CD Stages for Code Quality
Stage 1: Linting & Formatting
Enforce code style consistency across the team
- • ESLint, Prettier for JavaScript/TypeScript
- • Pylint, Black for Python
- • RuboCop for Ruby
- • Golint for Go
Stage 2: Unit Tests
Verify individual components work correctly
- • Jest, Vitest for JavaScript
- • PyTest for Python
- • JUnit for Java
- • Track coverage with Codecov or Coveralls
Stage 3: Security Scanning
Detect vulnerabilities in dependencies and code
- • Snyk for dependency vulnerabilities
- • Dependabot for automated updates
- • OWASP Dependency-Check
- • Trivy for container scanning
Stage 4: Static Analysis
Deep code analysis for bugs and code smells
- • SonarQube for comprehensive analysis
- • CodeClimate for maintainability
- • CodeRaptor for AI-powered review
- • CodeQL for security patterns
Stage 5: Integration Tests
Test how components work together
- • Cypress, Playwright for E2E tests
- • Postman/Newman for API tests
- • Selenium for browser automation
2. GitHub Actions Example
Here's a complete GitHub Actions workflow for code quality:
name: Code Quality
on:
pull_request:
branches: [main, develop]
push:
branches: [main]
jobs:
lint:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-node@v4
with:
node-version: '20'
- run: npm ci
- run: npm run lint
- run: npm run format:check
test:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-node@v4
with:
node-version: '20'
- run: npm ci
- run: npm test -- --coverage
- uses: codecov/codecov-action@v3
with:
files: ./coverage/coverage-final.json
security:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: snyk/actions/node@master
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
code-review:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: coderaptor/action@v1
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
api-key: ${{ secrets.CODERAPTOR_API_KEY }}3. GitLab CI Example
stages:
- lint
- test
- security
- review
lint:
stage: lint
image: node:20
script:
- npm ci
- npm run lint
- npm run format:check
test:
stage: test
image: node:20
script:
- npm ci
- npm test -- --coverage
coverage: '/Statements\s*:\s*(\d+\.\d+)%/'
security:
stage: security
image: snyk/snyk:node
script:
- snyk test --severity-threshold=high
code-review:
stage: review
image: coderaptor/cli:latest
script:
- coderaptor review --mode=ci
only:
- merge_requests4. Set Quality Gates
Define minimum standards that must pass:
Example Quality Gates
5. Optimize CI/CD Performance
Caching Dependencies
- uses: actions/cache@v3
with:
path: ~/.npm
key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }}
restore-keys: |
${{ runner.os }}-node-Parallel Jobs
Run independent checks in parallel to save time:
- Linting can run parallel with tests
- Security scans can run parallel with code review
- Use matrix strategies for multi-platform testing
Only Run What Changed
on:
pull_request:
paths:
- 'src/**'
- 'tests/**'
- 'package.json'6. Fail Fast vs Fail Safe
Fail Fast (Recommended)
Stop immediately on first failure
- • Faster feedback to developers
- • Saves CI/CD minutes
- • Forces fixing issues immediately
Continue on Error
Run all checks even if one fails
- • See all issues at once
- • Better for reporting
- • Use for non-blocking checks
7. Status Checks and Branch Protection
On GitHub, require status checks before merging:
- Go to repository Settings → Branches
- Add branch protection rule for
main - Enable "Require status checks to pass before merging"
- Select which checks are required:
- ✅ lint
- ✅ test
- ✅ security
- ✅ code-review
- Enable "Require branches to be up to date before merging"
8. Notification Strategy
When to Notify
- Always notify: Build failures, security vulnerabilities
- Selective notify: Coverage drops, new code smells
- Never spam: Successful builds (unless first success after failures)
Where to Notify
- Slack/Discord for critical failures
- Email for security alerts
- PR comments for code quality issues
- Dashboard for trends and metrics
9. Measuring CI/CD Effectiveness
Key Metrics
10. Common Pitfalls to Avoid
❌ Running Tests Sequentially
Wastes time. Run independent tests in parallel with matrix strategies.
❌ No Caching
Downloading dependencies every time. Cache node_modules, pip packages, etc.
❌ Testing Everything on Every Commit
Use path filters to only run relevant tests when specific files change.
❌ Ignoring Flaky Tests
Fix or quarantine flaky tests immediately. They erode trust in your CI.
11. Advanced: Pre-commit Hooks
Catch issues before they even reach CI:
# .husky/pre-commit
#!/bin/sh
npm run lint-staged
# package.json
{
"lint-staged": {
"*.{js,ts,tsx}": [
"eslint --fix",
"prettier --write"
],
"*.{json,md}": [
"prettier --write"
]
}
}12. Cost Optimization
Reduce CI/CD Costs
- Use self-hosted runners for private repos (cheaper than cloud minutes)
- Cache aggressively to reduce build times
- Only run full test suite on main, subset on PRs
- Use smaller Docker images (alpine vs full ubuntu)
- Clean up old artifacts and logs regularly
Automate Code Review in CI/CD
CodeRaptor integrates seamlessly with GitHub Actions, GitLab CI, and other CI/CD platforms. Get AI-powered code reviews automatically on every pull request.