Skip to main content

CI integration

The PR review loop becomes automatic once CI indexes both sides of a change and runs review / gate. Everything here works on any CI system because ovecc is one static binary with stable exit codes.

GitHub Actions

The drop-in Action

ovecc ships a composite GitHub Action that downloads the binary, indexes base + head, posts the review markdown as a PR comment, and gates on severity:

name: ovecc review
on: pull_request

jobs:
review:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0 # full history: base + head must both be checkout-able
- uses: Ovecc-labs/ovecc@main
with:
fail-on: high

Roll-your-own workflow

name: ovecc review
on: pull_request

jobs:
review:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with: { fetch-depth: 0 }

- name: Install ovecc
run: |
curl -sSL -o ovecc "$OVECC_DOWNLOAD_URL"
chmod +x ovecc && sudo mv ovecc /usr/local/bin/

- name: Index base
run: |
git checkout ${{ github.event.pull_request.base.sha }}
ovecc index .

- name: Index head
run: |
git checkout ${{ github.event.pull_request.head.sha }}
ovecc index .

- name: Review (fails on new defects)
run: |
ovecc review --format markdown --fail-on high | tee review.md

- name: Comment on the PR
if: always()
uses: marocchino/sticky-pull-request-comment@v2
with:
path: review.md

SARIF upload (code scanning)

- name: Export SARIF
run: ovecc violations --format sarif > ovecc.sarif
- uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: ovecc.sarif

Findings then appear in the repository's Security → Code scanning tab with file:line annotations on the PR diff.

GitLab CI

--format codeclimate emits the Code Quality report format GitLab renders natively on merge requests:

ovecc:
stage: test
script:
- git fetch origin $CI_MERGE_REQUEST_TARGET_BRANCH_NAME
- git checkout origin/$CI_MERGE_REQUEST_TARGET_BRANCH_NAME && ovecc index .
- git checkout $CI_COMMIT_SHA && ovecc index .
- ovecc gate --fail-on high
- ovecc violations --format codeclimate > gl-code-quality-report.json
artifacts:
reports:
codequality: gl-code-quality-report.json
when: always

Any CI system

The generic recipe is four commands and an exit code:

git checkout "$BASE_SHA" && ovecc index .
git checkout "$HEAD_SHA" && ovecc index .
ovecc review --format markdown > review.md # human artifact
ovecc gate --fail-on high # exit 1 = block the merge

Useful properties when scripting:

  • Exit 1 means "threshold crossed" — the full report is still printed, so your CI log always explains the failure. Exit ≥ 2 means the run itself broke (codes).
  • A closed pipe is not an error (ovecc report | head exits 0).
  • Baseline ratchet for legacy repos: commit .ovecc/baseline.json (created with ovecc violations --write-baseline) and run ovecc violations --baseline --fail-on any in CI. Only new findings fail.
  • Change scoping: ovecc violations --changed-since origin/main limits findings to files the PR touched.
  • Dependency audit in CI: ovecc audit --fetch --fail-on high (the only step that needs network; cache .ovecc/osv/ to keep it offline).

Caching

.ovecc/graph.db contains the parse cache and all snapshots. Persisting it between CI runs (as a cache keyed on the branch) turns indexing into an incremental operation; without it, each run pays the cold-index cost, which is still fine for small and medium repositories.