Add Qodana code quality workflow

[sanjomo]

Description

Brief description of the changes in this PR.

Type of Change

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• Documentation update
• Code refactoring
• Test improvements
• Build/tooling changes

Related Issue

Closes #(issue number)

Changes Made

Testing

• All existing tests pass
• New tests added for new functionality
• Tests pass locally with mvn test
• Integration tests pass (if applicable)

Checklist

• Code follows project coding standards
• Self-review completed
• Code is commented where necessary
• Documentation updated (if needed)
• Commit messages follow conventional format
• No merge conflicts
• All CI checks pass

Additional Notes

Any additional information, screenshots, or context that reviewers should know.

Summary by CodeRabbit

• Chores
  • Added an automated code-quality workflow that runs Qodana scans as part of CI, triggered on manual dispatch, pull requests, and pushes to main and release branches; workflow captures full commit history for accurate analysis.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Walkthrough

Adds a new GitHub Actions workflow at .github/workflows/code_quality.yml that runs Qodana scans on workflow_dispatch, pull_request, and push (main and releases/*), checking out the repo and invoking JetBrains/qodana-action@v2025.2 with QODANA_TOKEN and QODANA_ENDPOINT set.

Changes

Cohort / File(s)	Change Summary
GitHub Actions Workflow ​.github/workflows/code_quality.yml	Added a new Qodana workflow triggered on pull_request, push (main/releases/*), and workflow_dispatch; defines a qodana job on ubuntu-latest that checks out full repo history and runs JetBrains/qodana-action@v2025.2 with QODANA_TOKEN and QODANA_ENDPOINT in the environment and scoped permissions for contents, pull-requests, and checks.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

• Verify the Qodana action version (v2025.2) is intended.
• Confirm secure provisioning/usage of QODANA_TOKEN and QODANA_ENDPOINT.
• Review requested workflow permissions (contents, pull-requests, checks) for least-privilege alignment.

Poem

🐰 I hopped into CI, nose all aglow,
A Qodana beacon to catch every foe,
Scanning each branch with meticulous cheer,
Bugs tremble softly when the rabbit is near. ✨

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The description follows the template structure but is largely incomplete with empty sections (Changes Made, Description details) and no concrete information about what was added.	Fill in the Description section with details about the Qodana workflow, populate Changes Made with specific bullets, and update the Related Issue section with the actual issue number if applicable.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and specifically describes the main change: adding a Qodana code quality workflow to the repository.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch sanjomo-patch-2

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between edc7748 and f241f47.

📒 Files selected for processing (1)

• .github/workflows/code_quality.yml (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• .github/workflows/code_quality.yml

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (6)

• GitHub Check: Analyze (java-kotlin)
• GitHub Check: build (17) / build
• GitHub Check: build (25) / build
• GitHub Check: build (21) / build
• GitHub Check: Analyze (java-kotlin)
• GitHub Check: qodana

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (2)

.github/workflows/code_quality.yml (2)

22-28: Verify the Qodana action version and reconsider pr-mode setting.

Two concerns:

1. The action version v2025.2 is very recent. Verify it's stable and the correct version for your Qodana setup.
2. pr-mode: false disables PR-specific feedback (inline comments, review features). For pull requests, this should typically be true to provide inline quality insights. Consider making it conditional: ${{ github.event_name == 'pull_request' }}.

If you want PR-specific feedback during pull request reviews, apply this diff:

      - name: 'Qodana Scan'
        uses: JetBrains/qodana-action@v2025.2
        with:
-          pr-mode: false
+          pr-mode: ${{ github.event_name == 'pull_request' }}

Also, please verify that v2025.2 is the intended, stable version of the Qodana action by checking the JetBrains/qodana-action releases.

---

13-16: Review permission scope: contents: write may be overly broad.

The workflow requests write access to repository contents, which is a broad permission. Qodana scanning typically operates read-only on source code. Verify whether contents: write is necessary, or if limiting to pull-requests: write and checks: write would be sufficient for the intended behavior.

If Qodana only needs to report results without modifying repository content, consider removing contents: write:

    permissions:
-      contents: write
       pull-requests: write
       checks: write

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 9945958 and edc7748.

📒 Files selected for processing (1)

• .github/workflows/code_quality.yml (1 hunks)

🧰 Additional context used

🪛 actionlint (1.7.9)

.github/workflows/code_quality.yml

18-18: the runner of "actions/checkout@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (5)

• GitHub Check: build (25) / build
• GitHub Check: build (17) / build
• GitHub Check: build (21) / build
• GitHub Check: Analyze (java-kotlin)
• GitHub Check: Analyze (java-kotlin)

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

Critical: Checkout will fail on non-PR events due to undefined github.event.pull_request.head.sha.

The ref parameter uses ${{ github.event.pull_request.head.sha }} unconditionally, but this variable is undefined for push and workflow_dispatch events. This will cause the checkout step to fail or behave unpredictably on main branch pushes and manual triggers.

Use a conditional expression to select the correct ref based on the event type:

      - uses: actions/checkout@v3
        with:
-          ref: ${{ github.event.pull_request.head.sha }}  # to check out the actual pull request commit, not the merge commit
+          ref: ${{ github.event.pull_request.head.sha || github.sha }}  # PR head for PRs, commit SHA for push events
          fetch-depth: 0  # a full history is required for pull request analysis

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	- uses: actions/checkout@v3
	with:
	ref: ${{ github.event.pull_request.head.sha }} # to check out the actual pull request commit, not the merge commit
	fetch-depth: 0 # a full history is required for pull request analysis
	- uses: actions/checkout@v3
	with:
	ref: ${{ github.event.pull_request.head.sha || github.sha }} # PR head for PRs, commit SHA for push events
	fetch-depth: 0 # a full history is required for pull request analysis

🧰 Tools

🪛 actionlint (1.7.9)

18-18: the runner of "actions/checkout@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

🤖 Prompt for AI Agents

.github/workflows/code_quality.yml lines 18-21: The checkout step
unconditionally uses github.event.pull_request.head.sha which is undefined for
push and workflow_dispatch events; change the ref to a conditional expression
that uses github.event.pull_request.head.sha when the event is a pull_request
and falls back to github.ref (or github.sha) for push/workflow_dispatch, e.g.
use an if/ternary style expression in the ref input or remove the ref input and
rely on the default checkout behavior while keeping fetch-depth: 0 so the action
works for PRs, pushes, and manual triggers.

[github-actions]

Qodana for JVM

64 new problems were found

Inspection name	Severity	Problems
Vulnerable declared dependency	🔶 Warning	8
Pointless arithmetic expression	🔶 Warning	7
AutoCloseable used without 'try'-with-resources	🔶 Warning	4
Comparison of 'short' and 'char' values	🔶 Warning	2
Result of method call ignored	🔶 Warning	2
Unused assignment	🔶 Warning	2
Busy wait	🔶 Warning	1
Injection point with ambiguous dependencies	🔶 Warning	1
Constant values	🔶 Warning	1
Number of placeholders does not match number of arguments in logging call	🔶 Warning	1
Unnecessary 'null' check before method call	🔶 Warning	1
Wrapper type may be primitive	🔶 Warning	1
Non-distinguishable logging calls	◽️ Notice	17
Vulnerable declared dependency	◽️ Notice	9
Non-constant string concatenation as argument to logging call	◽️ Notice	7

☁️ View the detailed Qodana report

Detected 122 dependencies

Third-party software list

This page lists the third-party software dependencies used in project

Dependency	Version	Licenses
aesh	2.8.2	Apache-2.0
arc-processor	3.30.1	Apache-2.0
arc	3.30.1	Apache-2.0
asm-analysis	9.9	BSD-3-Clause
asm-commons	9.9	BSD-3-Clause
asm-tree	9.9	BSD-3-Clause
asm-util	9.9	BSD-3-Clause
asm	9.9	BSD-3-Clause
byte-buddy	1.17.7	Apache-2.0
cache-api	1.1.1	Apache-2.0
commons-codec	1.20.0	Apache-2.0
commons-compress	1.28.0	Apache-2.0
commons-io	2.21.0	Apache-2.0
commons-logging-jboss-logging	1.0.0.final	Apache-2.0
commons-logging	1.3.5	Apache-2.0
crac	1.5.0	BSD-2-Clause
gizmo	1.9.0	Apache-2.0
gizmo2	2.0.0.beta10	Apache-2.0
hazelcast	5.2.5	MIT
jackson-annotations	2.20	Apache-2.0
jackson-core	2.20.1	Apache-2.0
jackson-databind	2.20.1	Apache-2.0
jackson-dataformat-yaml	2.20.0	AML
jackson-datatype-jsr310	2.20.0	Apache-2.0
jakarta.annotation-api	2.1.1	Classpath-exception-2.0 EPL-2.0 GPL-2.0-only
jakarta.annotation-api	3.0.0	Classpath-exception-2.0 EPL-2.0 GPL-2.0-only
jakarta.el-api	6.0.1	Classpath-exception-2.0 EPL-2.0 GPL-2.0-only
jakarta.enterprise.cdi-api	4.1.0	Apache-2.0
jakarta.enterprise.lang-model	4.1.0	Apache-2.0
jakarta.inject-api	2.0.1	Apache-2.0
jakarta.interceptor-api	2.2.0	Classpath-exception-2.0 EPL-2.0 GPL-2.0-only
jakarta.json-api	2.1.3	Classpath-exception-2.0 EPL-2.0 GPL-2.0-only
jakarta.transaction-api	2.0.1	Classpath-exception-2.0 EPL-2.0 GPL-2.0-only
jandex-gizmo2	3.5.2	Apache-2.0
jandex	3.5.2	Apache-2.0
jansi	2.4.0	Apache-2.0
jboss-logging	3.6.1.final	Apache-2.0
jboss-logmanager	3.1.2.final	Apache-2.0
jboss-threads	3.9.1	Apache-2.0
jctools-core	4.0.5	Apache-2.0
jdk-classfile-backport	25.1	GPL-2.0-only
jodd-util	6.3.0	BSD-2-Clause
jspecify	1.0.0	Apache-2.0
jul-to-slf4j	2.0.17	MIT
kryo	5.6.2	BSD-3-Clause
log4j-api	2.25.2	Apache-2.0
log4j-to-slf4j	2.25.2	Apache-2.0
micrometer-commons	1.16.0	Apache-2.0
micrometer-observation	1.16.0	Apache-2.0
micronaut-aop	4.10.2	Apache-2.0
micronaut-context-propagation	4.10.2	Apache-2.0
micronaut-context	4.10.2	Apache-2.0
micronaut-core-reactive	4.10.2	Apache-2.0
micronaut-core	4.10.2	Apache-2.0
micronaut-discovery-core	4.10.2	Apache-2.0
micronaut-http-server	4.10.2	Apache-2.0
micronaut-http	4.10.2	Apache-2.0
micronaut-inject	4.10.2	Apache-2.0
micronaut-retry	4.10.2	Apache-2.0
micronaut-router	4.10.2	Apache-2.0
micronaut-runtime	4.10.2	Apache-2.0
microprofile-config-api	3.1	Apache-2.0
microprofile-context-propagation-api	1.3	Apache-2.0
minlog	1.3.1	BSD-3-Clause
mutiny	3.0.1	Apache-2.0
nativeimage	23.1.2	UPL-1.0
netty-common	4.2.7.final	Apache-2.0
parsson	1.1.7	Classpath-exception-2.0 EPL-2.0 GPL-2.0-only
quarkus-arc-deployment	3.30.1	Apache-2.0
quarkus-arc-dev	3.30.1	Apache-2.0
quarkus-arc	3.30.1	Apache-2.0
quarkus-bootstrap-app-model	3.30.1	Apache-2.0
quarkus-bootstrap-core	3.30.1	Apache-2.0
quarkus-bootstrap-runner	3.30.1	Apache-2.0
quarkus-builder	3.30.1	Apache-2.0
quarkus-class-change-agent	3.30.1	Apache-2.0
quarkus-classloader-commons	3.30.1	Apache-2.0
quarkus-core-deployment	3.30.1	Apache-2.0
quarkus-core	3.30.1	Apache-2.0
quarkus-development-mode-spi	3.30.1	Apache-2.0
quarkus-devui-deployment-spi	3.30.1	Apache-2.0
quarkus-fs-util	1.2.0	Apache-2.0
quarkus-hibernate-validator-spi	3.30.1	Apache-2.0
quarkus-ide-launcher	3.30.1	Apache-2.0
quarkus-smallrye-context-propagation-spi	3.30.1	Apache-2.0
reactive-streams	1.0.4	MIT-0
reactor-core	3.6.2	Apache-2.0
reactor-core	3.7.9	Apache-2.0
readline	2.6	Apache-2.0
redisson	3.52.0	Apache-2.0
reflectasm	1.11.9	BSD-3-Clause
rxjava	3.1.8	Apache-2.0
slf4j-api	2.0.17	MIT
slf4j-jboss-logmanager	2.0.2.final	Apache-2.0
smallrye-common-annotation	2.14.0	Apache-2.0
smallrye-common-classloader	2.14.0	Apache-2.0
smallrye-common-constraint	2.14.0	Apache-2.0
smallrye-common-cpu	2.14.0	Apache-2.0
smallrye-common-expression	2.14.0	Apache-2.0
smallrye-common-function	2.14.0	Apache-2.0
smallrye-common-io	2.14.0	Apache-2.0
smallrye-common-net	2.14.0	Apache-2.0
smallrye-common-os	2.14.0	Apache-2.0
smallrye-common-process	2.14.0	Apache-2.0
smallrye-common-ref	2.14.0	Apache-2.0
smallrye-common-resource	2.14.0	Apache-2.0
smallrye-config-common	3.14.1	Apache-2.0
smallrye-config-core	3.14.1	Apache-2.0
smallrye-config	3.14.1	Apache-2.0
snakeyaml	2.4	Apache-2.0
snakeyaml	2.5	Apache-2.0
spring-aop	7.0.1	Apache-2.0
spring-beans	7.0.1	Apache-2.0
spring-boot-autoconfigure	4.0.0	Apache-2.0
spring-boot-starter-logging	4.0.0	Apache-2.0
spring-boot-starter	4.0.0	Apache-2.0
spring-boot	4.0.0	Apache-2.0
spring-context	7.0.1	Apache-2.0
spring-core	7.0.1	Apache-2.0
spring-expression	7.0.1	Apache-2.0
wildfly-common	2.0.1	Apache-2.0
word	23.1.2	UPL-1.0

Contact Qodana team

Contact us at qodana-support@jetbrains.com

• Or via our issue tracker: https://jb.gg/qodana-issue
• Or share your feedback: https://jb.gg/qodana-discussions