DEV Community

Cover image for How to complete a Power Automate code review with AutoReview
david wyatt
david wyatt Subscriber

Posted on • Updated on

How to complete a Power Automate code review with AutoReview

I wrote here why I think code reviews are so important for Power Automate, but how exactly do you do a code review. My original approach was to open the flow and look, though this can be a pain as you either have to have the flow shared with you, or all the connections (like SharePoint) shared and an export.

While developing in Blue Prism my company provide a great Code Review tool called RoboReview. It is an automated tool that checks for the basics, like naming conventions and possible infinite loops. So for code Power Automate I wanted something similar but couldn't find one, so I decided to make my own called AutoReview. Its a free Chrome Extension that extracts key data and makes a report to review.

So I now do all my code reviews with AutoReview, using 3 of its main functions.

Review

The Review page scores the flow, with either a Red, Amber or Green score. This gives you an instant view, as anything red needs some work. After the overall score I look at the following.

4 Score Cards

score cards

Complexity and Actions let me know the flow might be hard to read. If they are red then it tells me the flow is either built inefficiently, has to many connections or should be structured as multiple flows.

var

Built inefficiently

  • Check Variables - you don't need variables very often, see here
  • Check Composes - again should be used very rarely, see here

To many connections

  • Check Connection references - having multiple connections can be security issues and high counts of them often shows poor flow planning

Should be structured as multiple flows

  • Filter nested in actions to '|' - high levels are good indicator that should be split into childflows

nested table

  • Review Diagram - high number of branches is another flag for child flows flow diagram

The Exception card lets me know if any exception handling has taken place in the flow, if this is red then for me this is an instant fail. Also the exception tag lets me know if there is an over arching exception catch for the flow, another one of my key requirements.

exception handling

Trigger

A quick look to see if there are lots of inputs for buttons and if triggers are broken with environment change (By selecting a folder as a trigger in Get Email the folder Id is selected, meaning it wont work with different account. The folder name should be shown, see here)

Variables

For variables I look at a few things, starting with the if they follow the naming convention to ensure readability. Next are they being used (if a lot filter by field). Finally are variables with a value constantans, I filter the Action Inputs table by the variable name to see if any action changes the variable.

variable table

Actions

For each action I check name explains what it does and the action it is, I also look at run after, any that are not just 'Success' I review in Diagram to make sure logic is right.

action table

Actions Inputs

If solution aware flow I filter actions to see if environment variables are used, if not I would flag as this will impact ALM.

action input table

I also look over the inputs just to see nothing is hardcoded and the expressions make sense.

API Actions

Using the filter I find actions with no pagination and check if action returns array - see here why pagination is important.

api action table

I also Check retry, if left blank I check to see if action is in a loop, as this should be handled as exception - unless there's a good reason, which should be in the action note.

Exceptions

All exceptions should include fail and timeout, so I make sure that if its just fail there is a reason.
For consistency I check for Scope named Exception running after another scope named Main, as this will ensure all of the flow is covered by exception handling. Read here for exception handling.

exception handling table

Diagram

As you have seen I use both Review and Diagram at same time, but there are a few things I just look for in the diagram

  • Check loops have required exception handling
  • Check any loops within loops are necessary
  • Exception catches handle exception with communication and terminate to show run failed

flow diagram

Solutions

If the export is a solution (and they really should be) I check
the contents of the solution making sure its named right and everything necessary.
I check the Connection references, does every connection use a reference, are there unnecessary duplicates.

Finally I look for any missing dependencies as these will stop he deployment.

solution


And that's pretty much it, I obvious keep my eyes out for any obvious bugs but the above covers nearly everything.

To use it simply add the extension from the Chrome Store or Edge Store

Top comments (10)

Collapse
 
wyattdave profile image
david wyatt

Issue with Switch - I have identified issue with the definition schema, within Switches only the first compose and variable actions have operationMetadataId’s. So only the first compose and first variable actio appear in the report. This appears to be a bug from Microsoft, I'm looking at a fix

Collapse
 
wyattdave profile image
david wyatt

Further update to this bug. It turns out any action created inside a Switch does not have a operationMetadataId, but actions created outside and moved in do (this bug can also be seen if you try and copy and paste an step/action created within a Switch). I am raising a ticket with Microsoft but doubt this will be a priority. In meantime any flow using a Switch must have the step/action created outside of the Switch.

Collapse
 
plamba profile image
Piyush

This is an amazing tool, but in my org, question was around data security - will our data be shared anywhere, do we have any documentation around that please - I really want to start using this tool!

Collapse
 
wyattdave profile image
david wyatt

Hi Piyush, in the chrome/edge store I explicitly called out the extension does not share anything, it does everything in the extension locally.
You can check the network traffic in dev tools and you won't see anything being posted.
But it is a good shout out, extensions have a lot of privileges so could be misused. Both Google and Microsoft review extensions before publishing but that hasn't stopped issues in the past

Collapse
 
plamba profile image
Piyush

Thank you @wyattdave for clarification, this will really help me to take that forward. I really want to use this tool to review all my code. Somehow, extensions are disabled in my org, do you have any API for the same which I can utilize and when are we getting the same for Power Apps :) . I AM SO EXCITED

Thread Thread
 
wyattdave profile image
david wyatt

I see why, as I said Chrome extensions have a lot of privileges. Check out my next blog on Monday, might be interesting for you 😎
As for Power Apps version, already available here chrome.google.com/webstore/detail/...
It's a little less automated as Apps require more human opinion but it's a lot quicker then any other way I know to do a code review

Thread Thread
 
plamba profile image
Piyush

Thank you @wyattdave - I must say, you are solving a huge problem here - Thank you

Thread Thread
 
wyattdave profile image
david wyatt

My latest blog talks about an API here. I also spun up a web page version, it's stripped down but hopefully helps wyattdave.github.io/Auto-Review/Au...

Collapse
 
balagmadhu profile image
Bala Madhusoodhanan

This is super cool ... Specially if you get a way to config the framework and drive your own complexity metrics. One recommendation would be to state the obvious when a custom / premium connector is the complexity is raised automatically as it would need review from security / audit point of view

Collapse
 
wyattdave profile image
david wyatt

Great idea, its going on the list, thank you