There are three key components for configuring Cover Pipeline for GitHub:

  • Labels: Pre-defined Diffblue Cover repository labels to determine test requirements on pull requests (full baseline, update, or skip).

  • Environment Config: Direct license key and access token config.

  • Workflow Config: Configure the Diffblue Cover section of your workflow including Cover version, build config, and Cover commands to execute on pull requests.


When writing tests, Diffblue Cover will respond to specific repository labels:

  • Diffblue Cover: Baseline Used to mark a pull request as requiring a full suite of tests to be written. This overrides the default behavior where Cover will only write tests related to the code changes already in the pull request. The baseline label is applied automatically when running Diffblue Cover for the first time on a project (to create the initial baseline test suite). On subsequent runs, you can select this label within a pull request, if required - useful when you want to refresh your entire test suite, such as when new product enhancements are released (to update the entire test suite with the latest enhancements).

  • Diffblue Cover: Skip Used to mark a pull request as requiring no tests to be written. The skip label is useful when performing pull requests that have no impact on unit tests, such as updates to comments only.

These labels are created automatically in GitHub when running Diffblue Cover for the first time on a project, and can be selected as part of the pull request as needed.

Environment config

To configure the Diffblue license key and associated GitHub access token and permissions:

  1. In GitHub, go to Settings > Secrets and variables > Actions > Repository secrets

  2. Add a New repository secret and set Name to DIFFBLUE_LICENSE_KEY and set Secret to your Diffblue Cover license key (see Licensing, if needed).

  3. Add another New repository secret and set Name to DIFFBLUE_ACCESS_TOKEN and set Secret to the GitHub access token used to allow Diffblue Cover to access your project. In general, use a GitHub Classic access token with full repo permissions. For more information on GitHub access tokens, see the GitHub access tokens docs topic.

  1. Finally, make sure that your repository allows actions to be executed - in the repository go to Settings > Action permissions:

Note that GitHub fine-grained access tokens are in Beta and not supported. If you must use a fine-grained access token then the following are required:

  • Contents: write

  • Pull requests: write

Using an access token with excessive permissions is a security risk. If you use a Personal access token, consider creating a dedicated user with access limited to just the project, minimizing the impact of the token being leaked.

Workflow config

Update or create a workflow YAML file for your project to configure the Diffblue Cover section of your CI/CD pipeline. Copy the contents of the Diffblue Cover Action workflow available from the GitHub Actions Marketplace (sample below) to your project YAML file, and update if needed. Configurable properties are listed below - for everything else, please leave these set to the values defined in the Diffblue template.


Run Diffblue Cover uses:

Select the version of Diffblue Cover to use in your workflow. Tag variations are provided for each supported JDK version - see for details. To use the latest version of Diffblue Cover, use one of the @main tags. To use a specific release version, use one of the tags.

Run Diffblue Cover working-directory:

This can be used to specify a different location in the repository to run Diffblue Cover.

Run Diffblue Cover args:

Diffblue Cover commands and options to run. Default arguments are shown commented out in the template:

ci – enable the Diffblue Cover Action.

activate - activate the license key.

build - build the project using standard Maven or Gradle commands.

validate - remove non-compiling and failing tests.

create - create new tests for the project.

Additional optional arguments can be used with the various commands - see Commands & Arguments for details. Note that Cover Reports arguments are not currently supported for use with Cover Pipeline for GitHub.

For reference, the default Diffblue Cover Action workflow is provided below (uses the latest version of Diffblue Cover and JDK 17) . Note that this is a sample only - use the files provided in the GitHub Marketplace Diffblue Cover Action to ensure that you have the latest version.

name: Example Workflow

# Diffblue Cover Pipeline responds to pull request

# Avoid running the same workflow on the same branch concurrently
  group: ${{ github.workflow }}-${{ github.ref }}

    runs-on: ubuntu-latest

      # Checkout the repository with permission to push
      - name: Checkout
        uses: actions/checkout@v4

      # Run Diffblue Cover
      - name: Diffblue Cover
        uses: diffblue/cover-github-action@main
          JVM_ARGS: -Xmx4096m
          # The access token used to push commits and call GitHub APIs.
          # Must have access to the project with at least Write role, and scopes
          # including code, commit-statuses, pull-requests, workflows and actions.
          access-token: ${{ secrets.DIFFBLUE_ACCESS_TOKEN }}

          # The license key provided in your welcome email or provided by your organization.
          # Alternatively obtain a free trial key from
          license-key: ${{ secrets.DIFFBLUE_LICENSE_KEY }}

          # Working directory where the project can be found, if not at the root.
          # working-directory: path/to/project

          # The Diffblue Cover commands and options to use.
          # Below is the default behavior, uncomment these and edit to customize
          # how Diffblue Cover is run on your project.
          #args: >-
          #  ci
          #  activate
          #  build
          #  validate
          #  create

      # Collect Diffblue Cover outcome files
      # This step saves Diffblue Cover run outcome files for later use. These include summary
      # information on Diffblue Cover's results, reports files, and logs. The information
      # contained in these files can be used for project analysis, metrics, improving analysis
      # or troubleshooting problems.
      # Note that this job will always run even when the Run Diffblue Cover job fails. This
      # ensures troubleshooting logs and output are available.
      - name: Diffblue Artifacts
        if: always()
        uses: actions/upload-artifact@v4
          name: logs
          path: |

Log files

Diffblue Cover log files are saved to a .diffblue/ directory in the pipeline artifacts (as defined in the workflow YAML file), and are available for download once the pipeline workflow completes. These logs include user logs (also output during the run and visible in the job output) and support logs (if you ever require Diffblue support).

Last updated