CI integration
The PR review loop becomes automatic once CI indexes both
sides of a change and runs review /
gate. Everything here works on any CI system because
ovecc is one static binary with stable exit codes.
GitHub Actions
The drop-in Action
ovecc ships a composite GitHub Action that downloads the binary, indexes base + head, posts the review markdown as a PR comment, and gates on severity:
name: ovecc review
on: pull_request
jobs:
review:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0 # full history: base + head must both be checkout-able
- uses: Ovecc-labs/ovecc@main
with:
fail-on: high
Roll-your-own workflow
name: ovecc review
on: pull_request
jobs:
review:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with: { fetch-depth: 0 }
- name: Install ovecc
run: |
curl -sSL -o ovecc "$OVECC_DOWNLOAD_URL"
chmod +x ovecc && sudo mv ovecc /usr/local/bin/
- name: Index base
run: |
git checkout ${{ github.event.pull_request.base.sha }}
ovecc index .
- name: Index head
run: |
git checkout ${{ github.event.pull_request.head.sha }}
ovecc index .
- name: Review (fails on new defects)
run: |
ovecc review --format markdown --fail-on high | tee review.md
- name: Comment on the PR
if: always()
uses: marocchino/sticky-pull-request-comment@v2
with:
path: review.md
SARIF upload (code scanning)
- name: Export SARIF
run: ovecc violations --format sarif > ovecc.sarif
- uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: ovecc.sarif
Findings then appear in the repository's Security → Code scanning tab with
file:line annotations on the PR diff.
GitLab CI
--format codeclimate emits the Code Quality report format GitLab renders natively
on merge requests:
ovecc:
stage: test
script:
- git fetch origin $CI_MERGE_REQUEST_TARGET_BRANCH_NAME
- git checkout origin/$CI_MERGE_REQUEST_TARGET_BRANCH_NAME && ovecc index .
- git checkout $CI_COMMIT_SHA && ovecc index .
- ovecc gate --fail-on high
- ovecc violations --format codeclimate > gl-code-quality-report.json
artifacts:
reports:
codequality: gl-code-quality-report.json
when: always
Any CI system
The generic recipe is four commands and an exit code:
git checkout "$BASE_SHA" && ovecc index .
git checkout "$HEAD_SHA" && ovecc index .
ovecc review --format markdown > review.md # human artifact
ovecc gate --fail-on high # exit 1 = block the merge
Useful properties when scripting:
- Exit
1means "threshold crossed" — the full report is still printed, so your CI log always explains the failure. Exit≥ 2means the run itself broke (codes). - A closed pipe is not an error (
ovecc report | headexits0). - Baseline ratchet for legacy repos: commit
.ovecc/baseline.json(created withovecc violations --write-baseline) and runovecc violations --baseline --fail-on anyin CI. Only new findings fail. - Change scoping:
ovecc violations --changed-since origin/mainlimits findings to files the PR touched. - Dependency audit in CI:
ovecc audit --fetch --fail-on high(the only step that needs network; cache.ovecc/osv/to keep it offline).
Caching
.ovecc/graph.db contains the parse cache and all snapshots. Persisting it between
CI runs (as a cache keyed on the branch) turns indexing into an incremental
operation; without it, each run pays the cold-index cost, which is still fine for
small and medium repositories.