Update qodana to 2025.2 from 2025.1

[rob93c]

Summary by CodeRabbit

• Chores
  • Updated the JetBrains Qodana JVM linter to version 2025.2, improving static analysis accuracy.
  • Expanded CI workflow permissions for the Qodana job to allow writing to the Checks API, enabling richer automated feedback in pull request checks.

[coderabbitai]

📝 Walkthrough

Walkthrough

Bumped the JetBrains Qodana JVM linter image tag in qodana.yaml from 2025.1 to 2025.2, and added a per-job permission override granting checks: write to the qodana job in .github/workflows/unit-test.yml. No other workflow or code changes.

Changes

Cohort / File(s)	Change Summary
Qodana Linter Version Update qodana.yaml	Updated JetBrains Qodana JVM linter image tag from 2025.1 to 2025.2.
Workflow Job Permission .github/workflows/unit-test.yml	Added a per-job permissions: checks: write override to the qodana job. Top-level workflow permissions were not changed.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~7 minutes

Possibly related PRs

• Update qodana to 2025.1 from 2024.3 #348 — Previously bumped the JetBrains Qodana JVM image tag (2024.3→2025.1); related change to the same qodana.yaml.

Suggested labels

dependencies

Poem

"I hopped in with a patch and a sip of tea,
Linter upgraded — a small victory for me.
A permission granted in one tiny spot,
Quiet changes, tidy and not a lot.
🐰🌿"

Tip

🔌 Remote MCP (Model Context Protocol) integration is now available!

Pro plan users can now connect to remote MCP servers from the Integrations page. Connect with popular remote MCPs such as Notion and Linear to add more context to your reviews and chats.

✨ Finishing Touches

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch bump-qodana-2025.2

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

CodeRabbit Commands (Invoked using PR/Issue comments)

Type @coderabbitai help to get the list of available commands.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Status, Documentation and Community

• Visit our Status Page to check the current availability of CodeRabbit.
• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (1)

.github/workflows/unit-test.yml (1)

13-14: Fork PRs caveat: added write permissions won’t apply to untrusted forks.

On pull_request events from forks, GITHUB_TOKEN is read-only by default; these write scopes won’t take effect. If your intent is to publish PR comments or enhanced checks on forks, you’ll need an alternative approach (e.g., pull_request_target with strict hardening, a GitHub App, or a bot token restricted to a safe surface).

Would you like guidance on a safe pull_request_target pattern for Qodana that avoids code execution risks from forks?

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 9289326 and 8c16654.

📒 Files selected for processing (1)

• .github/workflows/unit-test.yml (1 hunks)

🧰 Additional context used

🧠 Learnings (1)

📓 Common learnings

Learnt from: rob93c
PR: Stickerifier/Stickerify#298
File: qodana.yaml:6-6
Timestamp: 2024-11-02T11:09:02.322Z
Learning: The `jetbrains/qodana-jvm:2024.2` linter has been released and is available on DockerHub as of November 2024, and can be safely used in `qodana.yaml` files.

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)

• GitHub Check: Execute unit tests (macos-13)
• GitHub Check: Execute unit tests (windows-latest)
• GitHub Check: Execute unit tests (ubuntu-latest)

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

.github/workflows/unit-test.yml (1)

59-60: Drop checks: write unless you need the Checks UI; SARIF upload already handled

Given post-pr-comment: false, pr-mode: false, and a separate SARIF upload step, checks: write is likely unnecessary. Keep it only if you explicitly want Qodana to create/update a Check Run in the “Checks” tab. Otherwise, prefer least privilege.

Apply this diff to remove the permission from the qodana job:

 qodana:
-    permissions:
-      checks: write
+    # permissions:
+    #   checks: write  # Uncomment only if you rely on Qodana Check Runs output

Additionally (outside the selected range), consider scoping permissions per job:

• tests job: permissions: contents: write (needed for Gradle dependency graph submit)
• qodana job: permissions: security-events: write (needed for SARIF upload)

This allows removing the top-level security-events: write and keeping each job minimal.

Would you like me to propose a full workflow patch that scopes permissions per job as above?

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 8c16654 and 89bd209.

📒 Files selected for processing (1)

• .github/workflows/unit-test.yml (1 hunks)

🧰 Additional context used

🧠 Learnings (1)

📓 Common learnings

Learnt from: rob93c
PR: Stickerifier/Stickerify#298
File: qodana.yaml:6-6
Timestamp: 2024-11-02T11:09:02.322Z
Learning: The `jetbrains/qodana-jvm:2024.2` linter has been released and is available on DockerHub as of November 2024, and can be safely used in `qodana.yaml` files.

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (4)

• GitHub Check: Build and upload Docker image
• GitHub Check: Execute unit tests (windows-latest)
• GitHub Check: Execute unit tests (macos-13)
• GitHub Check: Execute unit tests (ubuntu-latest)