Skip to content
Latchkey

Adding Codacy to GitHub Actions

Run Codacy quality checks and push coverage from your GitHub Actions workflow.

Codacy provides automated code review and coverage reporting. You can run its CLI analysis action locally in CI or just upload coverage with the coverage-reporter action. Both need a project API token stored as a secret.

What you need

  • A CODACY_PROJECT_TOKEN secret from your Codacy project settings.
  • A coverage report (lcov, coverage.xml, or jacoco.xml) if uploading coverage.
  • The codacy/codacy-analysis-cli-action or codacy/codacy-coverage-reporter-action.

The workflow

Upload coverage after your tests produce a report:

.github/workflows/ci.yml
- name: Test
  run: npm test -- --coverage

- name: Upload coverage to Codacy
  uses: codacy/codacy-coverage-reporter-action@v1
  with:
    project-token: ${{ secrets.CODACY_PROJECT_TOKEN }}
    coverage-reports: coverage/lcov.info

Run analysis

To run Codacy linters in CI and produce SARIF for the Security tab:

.github/workflows/ci.yml
- uses: codacy/codacy-analysis-cli-action@v4
  with:
    project-token: ${{ secrets.CODACY_PROJECT_TOKEN }}
    format: sarif
    output: results.sarif

Common gotchas

  • The project token is per-repository - reusing one across repos sends data to the wrong project.
  • The coverage reporter expects a supported format; mixed formats need the multiple coverage-reports input.
  • The analysis CLI pulls Docker images, adding minutes - pin a runner with Docker preinstalled.

Key takeaways

  • Codacy uses a per-project API token stored as a secret.
  • Use codacy-coverage-reporter-action to push lcov/xml coverage.
  • codacy-analysis-cli-action can emit SARIF for the GitHub Security tab.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →