Automating Code Reviews with Amazon Q and GitHub Actions
Using The Amazon Q Developer CLI in your CI/CD pipeline to automate your Code Reviews
This setup has only been used in a Proof of Concept environment, If you are wanting to use this in a production setting, please ensure you have approval and from your DevOps & Security team and have the appropriate guardrails in place before attempting the below.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
name: Amazon Q Pipeline
on:
pull_request:
branches:
- main
jobs:
AmazonQCodeReview:
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v3
- name: Install Amazon Q
run: |
curl --proto '=https' --tlsv1.2 -sSf https://desktop-release.q.us-east-1.amazonaws.com/latest/amazon-q.deb -o amazon-q.deb
sudo apt install -y ./amazon-q.deb
rm amazon-q.deb
- name: Run Amazon Q
run: q chat "Hello Amazon Q! What capabilities do you offer??"
Turns out, by default. Not well... as we haven't authenticated the CI/CD context with Amazon Q developer.
q login
command. This opens an interactive terminal session below, which isn't the most ideal from a CI/CD perspective, as we have to provide manual actions in the terminal to authenticate.Follow the prompts on your interactive terminal to authenticate with Q.
q chat "Hello Amazon Q!"
You should see something similar to the below.
~/.local/share/amazon-q/
I have used S3 for this example as that was the quickest. But this does contain sensitive data, so I would consider implementing additional security measures through S3 VPC endpoints (if hosting your own runners), or by using something like secrets manager or SSM parameter store.
aws s3 sync ~/.local/share/amazon-q/ s3://<amazon-q-bucket>/authentication
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
name: Amazon Q Pipeline
on:
pull_request:
branches:
- main
permissions:
id-token: write
jobs:
AmazonQCodeReview:
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v3
- name: Install Amazon Q
run: |
curl --proto '=https' --tlsv1.2 -sSf https://desktop-release.q.us-east-1.amazonaws.com/latest/amazon-q.deb -o amazon-q.deb
sudo apt install -y ./amazon-q.deb
rm amazon-q.deb
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v4
with:
role-to-assume: arn:aws:iam::<account-id>:role/<your-github-actions-role>
aws-region: <your-region>
- name: Pull Amazon Q Authentication
run: aws s3 sync s3://<amazon-q-bucket>/authentication ~/.local/share/amazon-q/
- name: Run Amazon Q
run: q chat "Hello Amazon Q! What capabilities do you offer??"
q chat -- "--command /<command> <prompt>"
q chat -- "--command /review Do a code review for any Critical, or High security issues in my workspace"
1
2
3
4
5
6
7
Let me check if there are any controllers or services in the application:
Execute shell command
▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔
I will run the following shell command:find /mnt/d/Work/Rybrow/amazon-q-coffee-shop-api/src/main/java -type f -name "*.java" | grep -v "model"
Enter y to run this tool, otherwise continue chatting.
q chat --accept-all -- "--command /review Do a code review for any Critical, or High security issues in my workspace"
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
name: Amazon Q Pipeline
on:
pull_request:
branches:
- main
permissions:
id-token: write
jobs:
AmazonQCodeReview:
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v3
- name: Install Amazon Q
run: |
curl --proto '=https' --tlsv1.2 -sSf https://desktop-release.q.us-east-1.amazonaws.com/latest/amazon-q.deb -o amazon-q.deb
sudo apt install -y ./amazon-q.deb
rm amazon-q.deb
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v4
with:
role-to-assume: arn:aws:iam::<account-id>:role/<your-github-actions-role>
aws-region: <your-region>
- name: Pull Amazon Q Authentication
run: aws s3 sync s3://<amazon-q-bucket>/authentication ~/.local/share/amazon-q/
- name: Run Amazon Q
run: q chat --accept-all -- "--command /review Do a code review for any Critical, or High security issues in my workspace"
It looks like its picked all very valid issues that shouldn't be exposed to a production environment. Usually it would take weeks of product reviews and meetings to review and identify all these. And Amazon Q Developer has done this in about 3 minutes!
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
name: AI Review of Merge Request
on:
pull_request:
branches:
- main
permissions:
contents: read
pull-requests: write
id-token: write
jobs:
AmazonQCodeReview:
runs-on: ubuntu-latest
env:
prompt: |
Please do a code review and update any CRITICAL or HIGH security issues.
The file paths to review are located in changes.txt. Do not edit any files, and only review files that are in the changes.txt file.
When you are done:
Using the Github CLI put appropriate comments in a markdown file, and add a single comment on the pull request ${{ github.event.pull_request.number }}.
steps:
- name: Checkout repository
uses: actions/checkout@v3
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v4
with:
role-to-assume: ${{ secrets.AWS_IAM_ROLE }}
aws-region: ${{ secrets.AWS_REGION }}
- name: Get Updated Files
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
gh pr view ${{ github.event.pull_request.number }} --json files -q '.files[].path' >> changes.txt
cat changes.txt
- name: Review Feature
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
curl --proto '=https' --tlsv1.2 -sSf https://desktop-release.q.us-east-1.amazonaws.com/latest/amazon-q.deb -o amazon-q.deb
sudo apt install -y ./amazon-q.deb
rm amazon-q.deb
aws s3 sync ${{ secrets.AMAZON_Q_S3_URI }} ~/.local/share/amazon-q
echo "/help" | q chat
q chat -a -- "--command /review ${{ env.prompt }}"