Read Anthropic’s case study about Graphite Reviewer

Enhancing code quality on GitHub with tools, metrics, and actions

Kenny DuMez
Kenny DuMez
Graphite software engineer

Maintaining high code quality is important to the success of any software project. On GitHub, where collaboration and open-source contributions are commonplace, enforcing code quality becomes even more essential. This guide will cover the aspects of enhancing code quality on GitHub by leveraging various tools, metrics, and actions.

Code quality refers to the attributes of code that make it efficient, maintainable, and reliable. In the context of GitHub, maintaining high code quality is important because it enhances collaboration among developers, simplifies code reviews, reduces bugs, and improves project reputation. By leveraging tools like advanced code review systems, continuous integration, linters, and automated testing, developers can ensure their code meets high standards to benefit both their projects and the broader development community.

  • Maintainability: High-quality code is easier to understand and modify.
  • Collaboration: Consistent coding standards facilitate teamwork.
  • Performance: Optimized code enhances application performance.
  • Security: Good code practices reduce vulnerabilities.

GitHub offers a variety of tools to help maintain and improve code quality. These tools integrate seamlessly with repositories, providing real-time feedback and automation.

GitHub's SAST tool, known as GitHub code scanning, integrates static application security testing directly into your development workflow. By automatically analyzing code for vulnerabilities and potential security issues, it helps developers identify and fix problems early, enhancing both code quality and application security.

  • Overview: CodeQL is GitHub's code analysis engine that allows you to query code as data to find security vulnerabilities.

  • Setup:

    Terminal
    name: 'CodeQL Analysis'
    on:
    push:
    branches: [main]
    pull_request:
    branches: [main]
    jobs:
    codeql:
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v3
    - name: Initialize CodeQL
    uses: github/codeql-action/init@v2
    with:
    languages: ['javascript', 'python'] # Adjust languages as needed
    - name: Perform CodeQL Analysis
    uses: github/codeql-action/analyze@v2
  • Benefits: Automates code scanning for vulnerabilities, integrates with GitHub code scanning alerts.

Linters analyze source code to flag programming errors, bugs, stylistic errors, and suspicious constructs. The Super Linter is a GitHub Action that runs multiple linters to validate your code.

  • Setup:

    Terminal
    name: 'Super-Linter'
    on: [push, pull_request]
    jobs:
    lint-codebase:
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v3
    - name: Lint Code Base
    uses: github/super-linter@v5
    env:
    GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  • Benefits: Supports multiple programming languages, enforces consistent code standards.

  • ESLint: Identifies and reports on patterns in JavaScript, enabling code consistency.

  • Prettier: An opinionated code formatter that enforces a consistent style.

  • Setup ESLint and Prettier:

    Terminal
    npm install eslint prettier --save-dev
    npx eslint --init
  • Integrate with GitHub Actions:

    Terminal
    name: 'Lint and Format'
    on: [push, pull_request]
    jobs:
    lint-format:
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v3
    - name: Install Dependencies
    run: npm install
    - name: Run ESLint
    run: npx eslint .
    - name: Run Prettier
    run: npx prettier --check .

Security scanners, like Dependabot, detect vulnerabilities in your code and dependencies. Dependabot alerts you about vulnerable dependencies and opens pull requests to update them.

  • Setup:

    • Enable Dependabot alerts in your repository settings.
    • Configure dependabot.yml for automatic updates.
    Terminal
    version: 2
    updates:
    - package-ecosystem: 'npm'
    directory: '/'
    schedule:
    interval: 'daily'

Measuring code quality involves tracking specific metrics that provide insights into the health of your codebase. Some of those key metrics include:

  • Cyclomatic Complexity: Indicates the complexity of your code by measuring the number of linearly independent paths.
  • Code Coverage: Percentage of code executed during testing.
  • Technical Debt Ratio: The estimated time to fix issues divided by the time to build the software.
  • Maintainability Index: Assesses how maintainable your code is.
  • Overview: With Graphite Insights, teams can leverage visual dashboards, generate custom reports, and get notifications to monitor key metrics.
  • Setup: Integrating Graphite with GitHub is straightforward: sign up, connect your repository, install the Graphite GitHub App, and configure your team settings to tailor insights. These capabilities improve code quality by identifying bottlenecks, foster collaboration through better communication, and enable data-driven decisions with real-time metrics.
  • Benefits: Graphite enhances GitHub by offering faster code reviews and insightful metrics to optimize development workflows.
  • Overview: Codecov provides code coverage metrics and integrates with CI pipelines.

  • Setup with GitHub Actions:

    Terminal
    - name: 'Upload Coverage to Codecov'
    uses: codecov/codecov-action@v3
    with:
    token: ${{ secrets.CODECOV_TOKEN }}
  • Benefits: Visualizes code coverage and helps identify untested code.

GitHub Actions can automate code quality checks to ensure that every push and pull request meets your standards.

  • Step 1: Create workflow file

    • Add a YAML file in .github/workflows/, e.g., code-quality-check.yml.
  • Step 2: Define triggers

    • Specify when the workflow should run:

      Terminal
      on:
      push:
      branches: [main]
      pull_request:
      branches: [main]
  • Step 3: Add jobs and steps

    • Define the tasks, such as code analysis, linting, and testing.
Terminal
name: 'Code Quality Pipeline'
on: [push, pull_request]
jobs:
code-quality:
runs-on: ubuntu-latest
strategy:
matrix:
node-version: [14.x]
steps:
- uses: actions/checkout@v3
- name: Use Node.js ${{ matrix.node-version }}
uses: actions/setup-node@v3
with:
node-version: ${{ matrix.node-version }}
- name: Install Dependencies
run: npm install
- name: Run ESLint
run: npx eslint .
- name: Run Prettier
run: npx prettier --check .
- name: Run Tests
run: npm test
- name: Upload Coverage to Codecov
uses: codecov/codecov-action@v3
with:
token: ${{ secrets.CODECOV_TOKEN }}
- name: SonarCloud Scan
uses: SonarSource/sonarcloud-github-action@v1.10
with:
args: >
-Dsonar.organization=my_org
-Dsonar.projectKey=my_project
env:
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}

Automation ensures consistent enforcement of code quality standards. Here's how to enforce code quality in PRs with GitHub Actions:

  • Branch protection rules:

    • Require status checks to pass before merging.
    • Navigate to Settings > Branches and configure protection rules.
  • Required status checks:

    • Specify which checks must pass (e.g., ESLint, tests).
  • Integrate code quality checks in CI/CD pipelines:
    • Include code analysis, linting, and testing in your CI workflow.
    • Automate deployments only if code quality checks pass.

Adopting best practices enhances the effectiveness of tools and actions. Here's some consistent coding standards you can adhere to:

  • Style guides:
  • Peer Reviews:
    • Implement mandatory code reviews.
    • Use GitHub's review feature to discuss changes.
  • Inline Comments:
    • Write meaningful comments where necessary.
  • README and Wikis:
    • Maintain up-to-date documentation.
  • Dependabot and Other Tools:
    • Keep dependencies up to date to avoid security risks.
  • Dashboards and Reports:
  • Technical Debt Management:
    • Address issues promptly to reduce accumulated debt.

Enhancing code quality on GitHub is a multifaceted effort involving tools, metrics, and automation. By integrating code analysis GitHub actions, utilizing code quality tools GitHub offers, and monitoring code quality metrics GitHub provides, you can significantly improve your codebase. Implementing these practices not only ensures a high standard of code quality in GitHub but also fosters better collaboration and accelerates development cycles. Start leveraging these strategies today to elevate your projects on GitHub.

Graphite
Git stacked on GitHub

Stacked pull requests are easier to read, easier to write, and easier to manage.
Teams that stack ship better software, faster.

Or install our CLI.
Product Screenshot 1
Product Screenshot 2