Follow these steps to integrate Amazon CodeGuru Reviewer with GitHub Actions:
Your GitHub Action Workflow will need access to resources on your AWS account to create code reviews with CodeGuru Reviewer.
The recommended way to allow your workflow to access resources on your AWS account is through short-lived credentials using OpenID Connect (OIDC).
You can use this CloudFormation template to create all the resources required to configure Amazon CodeGuru Reviewer with GitHub Actions:
- An OpenID Connect (OIDC) Identity Provider for GitHub
- An Amazon S3 bucket to upload code and build artifacts for CodeGuru Reviewer
- An IAM role with access to the S3 bucket and
AmazonCodeGuruReviewerFullAccessthat can be assumed by the CodeGuru Reviewer workflow on your GitHub repo.
If you prefer, you can also follow the instructions below:
-
Create an OpenID Connect identity provider on AWS
- Provider Type: OpenID Connect
- Provider URL:
https://token.actions.githubusercontent.com - Audience:
sts.amazonaws.com
-
Create an S3 bucket with the prefix
codeguru-reviewer-to upload your code and build artifacts for CodeGuru Reviewer. -
Create an IAM role assumed by the GitHub OIDC provider when running the CodeGuru GitHub Action workflow with the following trust and permissions policies:
-
Trust policy:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Federated": "arn:aws:iam::{AWS_ACCOUNT_ID}:oidc-provider/token.actions.githubusercontent.com" }, "Action": "sts:AssumeRoleWithWebIdentity", "Condition": { "StringLike": { "token.actions.githubusercontent.com:sub": "repo:{GITHUB_ORG}/{GITHUB_REPO}:*" } } } ] } -
Permissions:
-
Amazon S3 permissions for the
codeguru-reviewer-*S3 bucket:
-
Create your workflow.yml file inside .github/workflows:
name: CodeGuru Reviewer GitHub Actions Integration
on:
push:
branches: [main]
pull_request:
branches: [main]
jobs:
CodeGuru-Reviewer-Actions:
runs-on: ubuntu-latest
permissions:
# Required to interact with GitHub's OIDC Token endpoint.
id-token: write
# Required for Checkout action.
contents: read
# Required for CodeQL action (upload SARIF files).
security-events: write
steps:
# Checkout the repo
- name: Checkout Repository
uses: actions/checkout@v2
with:
# Required for CodeGuru Reviewer.
fetch-depth: 0 # Fetches all history for all branches and tags.
# Set up Java
- name: Setup Java
uses: actions/setup-java@v2
with:
distribution: 'temurin'
java-version: '11'
# Build source code with Maven
- name: Build with Maven
run: mvn --batch-mode --update-snapshots verify
# Configure AWS Credentials
- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@v1
with:
role-to-assume: ${{ secrets.AWS_ROLE_TO_ASSUME_ARN }}
aws-region: ${{ secrets.AWS_REGION }}
# Add CodeGuru Reviewer Action
- name: Amazon CodeGuru Reviewer
uses: aws-actions/[email protected]
with:
# Build artifacts directory. Only required for Java repositories.
build_path: target
# S3 Bucket with "codeguru-reviewer-*" prefix. Required.
s3_bucket: ${{ secrets.AWS_CODEGURU_REVIEWER_S3_BUCKET }}
# Upload results to GitHub
- name: Upload review results
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: codeguru-results.sarif.json- Configuring OpenID Connect in Amazon Web Services (GitHub Docs)
- Creating OpenID Connect (OIDC) identity providers (AWS Documentation)
- Creating a role for web identity or OpenID connect federation (AWS Documentation)
- Configure AWS Credentials (GitHub Action)
- Amazon CodeGuru Reviewer (GitHub Action)
- Create code reviews with GitHub Actions (AWS Documentation)