Structural Change Controller for AI-assisted Python development — CI integration with:
- configurable CI gating
- SARIF upload for GitHub Code Scanning
- PR summary comments
- deterministic JSON report generation
This action is designed for PR and CI workflows where you want CodeClone to act as a non-LLM review bot: run analysis, upload SARIF, post a concise summary, and propagate the real gate result.
The v2 action flow is:
- set up Python
- install
codeclone - optionally require a committed baseline
- run CodeClone with JSON + optional SARIF output
- optionally upload SARIF to GitHub Code Scanning
- optionally post or update a PR summary comment
- return the real CodeClone exit code as the job result
When the action is used from the checked-out CodeClone repository itself
(uses: ./.github/actions/codeclone), it installs CodeClone from the repo
source under test. Remote consumers still install from PyPI.
- uses: orenlab/codeclone/.github/actions/codeclone@v2
with:
fail-on-new: "true"For strict reproducibility, pin the full release tag:
- uses: orenlab/codeclone/.github/actions/codeclone@v2.0.2For long-lived workflows, @v2 follows the latest compatible 2.x action
metadata.
name: CodeClone
on:
pull_request:
types: [ opened, synchronize, reopened ]
paths: [ "**/*.py" ]
permissions:
contents: read
security-events: write
pull-requests: write
jobs:
codeclone:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- uses: orenlab/codeclone/.github/actions/codeclone@v2
with:
fail-on-new: "true"
fail-health: "60"
sarif: "true"
pr-comment: "true"For numeric gate inputs, -1 means "disabled".
The action propagates the real CodeClone exit code at the end:
0— success2— contract error3— gating failure5— internal error
SARIF upload and PR comment posting are treated as additive integrations. The final job result is still driven by the CodeClone analysis exit code.
Recommended permissions:
permissions:
contents: read
security-events: write
pull-requests: writeNotes:
security-events: writeis required for SARIF uploadpull-requests: writeis required for PR comments- if you only want gating and JSON output, you can disable
sarifandpr-comment
Released action tags pin the PyPI package version in action metadata. For
example, @v2.0.2 installs codeclone==2.0.2 unless you override
package-version.
Explicit prerelease or smoke-test override:
with:
package-version: "<version>"Local/self-repo validation:
- uses: ./.github/actions/codecloneuses: ./.github/actions/codecloneinstalls CodeClone from the checked-out repository source, so release branches and unreleased commits do not depend on PyPI publication.
- For private repositories without GitHub Advanced Security, SARIF upload may
not be available. In that case, set
sarif: "false"and rely on the PR comment + exit code. - The baseline file must exist in the repository when
require-baseline: true. - The action always generates a canonical JSON report, even if SARIF is disabled.
- PR comments are updated in place using a hidden marker, so repeated runs do not keep adding duplicate comments.
- Analysis has a 10-minute timeout. For very large repositories, consider
using
extra-args: "--skip-metrics"or narrowing the scan scope.
