Skip to content

iszlai/ik-action

Use this GitHub action with your project
Add this Action to an existing workflow or create a new one
View on Marketplace

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

9 Commits
 
 
 
 
 
 
 
 
 
 

Repository files navigation

inkode GitHub Action

Run inkode (ik) against your repository on every PR / push and post a sticky comment summarising new findings, fixed issues, and the overall score.

- uses: iszlai/ik-action@v1
  with:
    token: ${{ secrets.IK_TOKEN }}
    fail-on: new-errors

What you get

  • Inline annotations on the PR diff for every finding (severity-mapped to ::error / ::warning / ::notice).
  • A sticky PR comment — single comment, updated on subsequent runs — listing new findings introduced by the PR and findings the PR fixed.
  • A status check that passes/fails according to your --fail-on policy.
  • A shareable report URL like https://api.inkode.co/r/<id> for every scan, exposed as the action's report-url output and embedded in the sticky comment.
  • Public trend page + status badge at https://api.inkode.co/p/<your- project> (opt-in via the per-project admin page). Drop the badge into your README:
    [![inkode](https://api.inkode.co/p/your-project/badge.svg)](https://api.inkode.co/p/your-project)

Quickstart

  1. Get a trial token in 30 seconds. Visit api.inkode.co/ci/start, enter a project slug + your email. You get a token good for 10 CI runs over 30 days — enough to wire it up and see a few PRs land. Need more than 10 (or a custom slug that's already taken)? Email hello@inkode.co and we'll mint an unlimited token.
  2. Add it as a repo secret called IK_TOKEN:
    gh secret set IK_TOKEN --repo your-org/your-repo
  3. Drop a .ik.yaml into your repo (run ik init locally if you don't have one yet).
  4. Add .github/workflows/ik.yml:
name: ik
on: [pull_request, push]
jobs:
  scan:
    runs-on: ubuntu-latest
    permissions:
      contents: read
      pull-requests: write   # required for the sticky PR comment
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0      # ik needs git history for hotspot/coupling
      - uses: iszlai/ik-action@v1
        with:
          token: ${{ secrets.IK_TOKEN }}
          fail-on: new-errors

That's it.

Inputs

Name Default Description
token (required) Project push token (set as a repo secret).
endpoint https://api.inkode.co inkode server URL. Override for self-hosted instances.
fail-on new-errors Policy that decides exit code. See below.
output github-annotations human | json | github-annotations | sarif.
comment true Post (or update) a sticky PR comment.
ik-version latest ik release tag (e.g. v0.5.0).
repo-path . Path to the repository root.

Outputs

Name Description
score Overall score 0–100.
grade Letter grade A–F.
report-url Public URL of the uploaded report.

fail-on policies

Policy Fails when…
never never.
score:N the overall score is below N. Example: score:60.
new-errors the PR introduces ≥ 1 new finding with severity error. Recommended for PRs.
new-warnings the PR introduces ≥ 1 new finding (any severity).
score-drop:N the overall score drops by ≥ N points vs the base branch. Example: score-drop:5.

Diff-aware policies (new-errors, new-warnings, score-drop:N) compare against the most recent report on the PR's base branch. If no baseline exists yet (the project's first scan, or the base branch has never been scanned), they degrade to score:60.

Examples

See examples/ for ready-to-copy workflows:

Permissions

The action posts PR comments via marocchino/sticky-pull-request-comment. That requires pull-requests: write on the workflow's permissions: block.

What ik actually does

inkode runs 17 static checks across five categories — security (secrets, dep-audit, infra, scripts, error-handling), testing (test-presence), maintainability (duplication, coupling, import-graph, dead-code, magic-numbers, todo-density), complexity (cyclomatic complexity per function, line count), and change risk (git hotspots). Two more informational checks (semantic duplication via an embedded LLM, AI-tool stack detection) surface in the report without affecting the score. Languages covered: Go, Python, JavaScript, TypeScript, Java, and Rust. Findings the PR introduces or fixes are diffed against the base branch's most recent scan.

Questions, bug reports, or want a token?

Email hello@inkode.co — fastest path to a push token, a feature request, or a bug report. For action-specific issues you can also open an issue.

License

MIT

About

No description, website, or topics provided.

Resources

Stars

3 stars

Watchers

0 watching

Forks

Packages

 
 
 

Contributors