Select your cookie preferences

We use essential cookies and similar tools that are necessary to provide our site and services. We use performance cookies to collect anonymous statistics, so we can understand how customers use our site and make improvements. Essential cookies cannot be deactivated, but you can choose “Customize” or “Decline” to decline performance cookies.

If you agree, AWS and approved third parties will also use cookies to provide useful site features, remember your preferences, and display relevant content, including relevant advertising. To accept or decline all non-essential cookies, choose “Accept” or “Decline.” To make more detailed choices, choose “Customize.”

AWS Logo
Menu

Automating Code Reviews with Amazon Q and GitHub Actions

Using The Amazon Q Developer CLI in your CI/CD pipeline to automate your Code Reviews

Published Mar 16, 2025
Hello!! This is my first blog post on the AWS forums - My Organization has recently adopted Amazon Q Developer and with my DevOps brain having lived and breathed CI/CD for the past 5 years - Just wanted to share how I managed to get Amazon Q working within a GitHub actions pipeline.

Why use Q in CI/CD ?

This post is primarily a proof of concept on how you can integrate the Amazon Q Developer CLI into your CI/CD pipeline. But before diving into the technical details, it’s worth asking: why would you want to do this in the first place?
The answer is simple—efficiency. AI is all about optimizing workflows, and if Amazon Q can handle automated and reliable code reviews, that means less time spent on manual review and more time for developers to focus on writing great code.

Using Amazon Q in the CI/CD Context!

For this example - I will be using GitHub Actions, but the same approach can be done with any CI/CD pipeline, or even as part of a docker build process.
Note:
This setup has only been used in a Proof of Concept environment, If you are wanting to use this in a production setting, please ensure you have approval and from your DevOps & Security team and have the appropriate guardrails in place before attempting the below.

Installation

Below is a sample GitHub Action for installing and running Amazon Q! This pipeline will specifically run on pull requests to the "main" branch. But you can use GitHub Actions to integrate this into any existing workflows you have.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
name: Amazon Q Pipeline
on:
pull_request:
branches:
- main
jobs:
AmazonQCodeReview:
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v3
- name: Install Amazon Q
run: |
curl --proto '=https' --tlsv1.2 -sSf https://desktop-release.q.us-east-1.amazonaws.com/latest/amazon-q.deb -o amazon-q.deb
sudo apt install -y ./amazon-q.deb
rm amazon-q.deb
- name: Run Amazon Q
run: q chat "Hello Amazon Q! What capabilities do you offer??"
So, lets see how it runs??
Image not found

Turns out, by default. Not well... as we haven't authenticated the CI/CD context with Amazon Q developer.

Persisting the Authentication with Amazon Q Developer

Right, so with most "modern" CI/CD pipelines, we have disposable agents that either run on VMs or Docker Containers, meaning, these are usually stateless. So by default, our Amazon Q Developer will be always logged out. If you are hosting your own CI/CD infrastructure, you may have stateful agents that you could manually log in to and reauthenticate with when needed. But I will also take the liberty of showing you how you can persist Amazon Q Developer's session between builds.

Logging into Amazon Q Developer CLI

 You can initiate the login process by running the q login command. This opens an interactive terminal session below, which isn't the most ideal from a CI/CD perspective, as we have to provide manual actions in the terminal to authenticate.
For this walkthrough, run the q login command on your local machine, and NOT the CI/CD pipeline.
Image not found

Follow the prompts on your interactive terminal to authenticate with Q.
My recommendation for regular use is to use a Service account with a Pro license - however if you are trialing this, a free account will do. Just be aware of the service quotas of the Free Amazon Q Developer offering, as this may not be suitable for day to day usage within your organization.
Once logged into Amazon Q cli - check you are logged in with the command q chat "Hello Amazon Q!"
You should see something similar to the below.

Image not found

Persisting the Authentication

For Linux (Ubuntu), the local credentials for Amazon Q developer are stored in the following location.
~/.local/share/amazon-q/
To Authenticate the CI/CD context, we will need to persist these to some shared location.
I have used S3 for this example as that was the quickest. But this does contain sensitive data, so I would consider implementing additional security measures through S3 VPC endpoints (if hosting your own runners), or by using something like secrets manager or SSM parameter store.
I uploaded these to S3 by running the below.
aws s3 sync ~/.local/share/amazon-q/ s3://<amazon-q-bucket>/authentication

Pulling the Authentication in the GitHub Actions Context

Now we have the authentication persisted, we can authenticate the CI/CD pipeline with Amazon Q Developer.
This assumes we have pre-existing authentication with AWS that can access our S3 bucket. - If you need to set this up, see the "Configure AWS Credentials" documentation to set this up.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
name: Amazon Q Pipeline
on:
pull_request:
branches:
- main
permissions:
id-token: write
jobs:
AmazonQCodeReview:
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v3
- name: Install Amazon Q
run: |
curl --proto '=https' --tlsv1.2 -sSf https://desktop-release.q.us-east-1.amazonaws.com/latest/amazon-q.deb -o amazon-q.deb
sudo apt install -y ./amazon-q.deb
rm amazon-q.deb
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v4
with:
role-to-assume: arn:aws:iam::<account-id>:role/<your-github-actions-role>
aws-region: <your-region>
- name: Pull Amazon Q Authentication
run: aws s3 sync s3://<amazon-q-bucket>/authentication ~/.local/share/amazon-q/
- name: Run Amazon Q
run: q chat "Hello Amazon Q! What capabilities do you offer??"
Your job should now be returning output from the Amazon Q Developer CLI

Image not found

Running Slash Commands via the Amazon Q CLI

To invoke slash commands via the Amazon Q cli we need to run the `q chat` command in a special format
q chat -- "--command /<command> <prompt>"
e.g.
q chat -- "--command /review Do a code review for any Critical, or High security issues in my workspace"
However running this will often lead to an interaction prompt in the Amazon Q context.
1
2
3
4
5
6
7
Let me check if there are any controllers or services in the application:

Execute shell command
▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔
I will run the following shell command:find /mnt/d/Work/Rybrow/amazon-q-coffee-shop-api/src/main/java -type f -name "*.java" | grep -v "model"

Enter y to run this tool, otherwise continue chatting.
This isn't compatible with the CI/CD pipeline as its non-interactive so we need to use the --accept-all flag to 'Auto Approve' any commands to be run.
So, the command we run in GitHub Actions is.
q chat --accept-all -- "--command /review Do a code review for any Critical, or High security issues in my workspace"
Now our GitHub actions pipeline looks like this!
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
name: Amazon Q Pipeline
on:
pull_request:
branches:
- main
permissions:
id-token: write
jobs:
AmazonQCodeReview:
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v3
- name: Install Amazon Q
run: |
curl --proto '=https' --tlsv1.2 -sSf https://desktop-release.q.us-east-1.amazonaws.com/latest/amazon-q.deb -o amazon-q.deb
sudo apt install -y ./amazon-q.deb
rm amazon-q.deb
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v4
with:
role-to-assume: arn:aws:iam::<account-id>:role/<your-github-actions-role>
aws-region: <your-region>
- name: Pull Amazon Q Authentication
run: aws s3 sync s3://<amazon-q-bucket>/authentication ~/.local/share/amazon-q/
- name: Run Amazon Q
run: q chat --accept-all -- "--command /review Do a code review for any Critical, or High security issues in my workspace"
Now your pipeline should be showing something like this - For the below I have asked it to review a sample Micronaut project based on the Coffee Machine TDD Project
Image not found
Start of CI/CD Job
Image not found
Review Output

It looks like its picked all very valid issues that shouldn't be exposed to a production environment. Usually it would take weeks of product reviews and meetings to review and identify all these. And Amazon Q Developer has done this in about 3 minutes!

Working Example

This full working example below makes a list of the files changes in the Pull Request, tells Amazon Q Developer to review them, and asks it to put a comment on the Pull Request.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
name: AI Review of Merge Request

on:
pull_request:
branches:
- main

permissions:
contents: read
pull-requests: write
id-token: write

jobs:
AmazonQCodeReview:
runs-on: ubuntu-latest
env:
prompt: |
Please do a code review and update any CRITICAL or HIGH security issues.
The file paths to review are located in changes.txt. Do not edit any files, and only review files that are in the changes.txt file.

When you are done:
Using the Github CLI put appropriate comments in a markdown file, and add a single comment on the pull request ${{ github.event.pull_request.number }}.
steps:
- name: Checkout repository
uses: actions/checkout@v3
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v4
with:
role-to-assume: ${{ secrets.AWS_IAM_ROLE }}
aws-region: ${{ secrets.AWS_REGION }}
- name: Get Updated Files
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
gh pr view ${{ github.event.pull_request.number }} --json files -q '.files[].path' >> changes.txt
cat changes.txt
- name: Review Feature
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
curl --proto '=https' --tlsv1.2 -sSf https://desktop-release.q.us-east-1.amazonaws.com/latest/amazon-q.deb -o amazon-q.deb
sudo apt install -y ./amazon-q.deb
rm amazon-q.deb
aws s3 sync ${{ secrets.AMAZON_Q_S3_URI }} ~/.local/share/amazon-q
echo "/help" | q chat
q chat -a -- "--command /review ${{ env.prompt }}"
 If you got this far, thanks for reading ! - Let me know your thoughts and if you've done something similar with Amazon Q!
 

Comments

Log in to comment