Skip to content

feat: add AI code review workflows (ChatGPT, Claude, Kimi) #143

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
ElFantasma merged 5 commits into from
Jan 29, 2026
Merged

feat: add AI code review workflows (ChatGPT, Claude, Kimi) #143

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
da58400
feat: add AI code review workflows (ChatGPT, Claude, Kimi)
ElFantasma Jan 28, 2026
95b2ba4
refactor: consolidate AI review prompt and simplify workflows
ElFantasma Jan 29, 2026
4e1e1be
feat: add ChatGPT reviewer workflow with @chatgpt trigger
ElFantasma Jan 29, 2026
dce2a32
Apply suggestion from @greptile-apps[bot]
ElFantasma Jan 29, 2026
9bd4a16
Apply suggestion from @greptile-apps[bot]
ElFantasma Jan 29, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 6 additions & 0 deletions .claude/settings.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
{
"attribution": {
"commit": "",
"pr": ""
}
}
Copy link

@github-actions github-actions bot Jan 28, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The code patch introduces a JSON structure, but it lacks crucial information in the 'commit' and 'pr' fields, which are currently empty strings. This suggests that it might be part of a larger code management strategy, and information is missing that could hinder traceability. Additionally:

  1. Validation: There are no checks or validations on the values that should be stored in the 'commit' and 'pr' fields. They should ideally contain valid commit hashes and pull request identifiers, respectively. Adding validation can prevent potential bugs later on.

  2. Documentation: There's no indication of how this structure will be utilized in the surrounding codebase. A comment or documentation would be beneficial to clarify its intended purpose.

  3. Version Control: If this JSON structure is expected to be modified frequently, consider versioning it within the structure for better manageability in the future.

As it stands, the patch should be revised to address these potential issues before merging.

56 changes: 56 additions & 0 deletions .github/workflows/pr_review_chatgpt.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,56 @@
name: PR Review - ChatGPT

on:
pull_request:
types: [opened, synchronize, reopened]
pull_request_review_comment:
types: [created]

permissions:
contents: read
pull-requests: write

concurrency:
group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
cancel-in-progress: true

jobs:
chatgpt-review:
name: ChatGPT Code Review
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v4
with:
fetch-depth: 0

- name: ChatGPT Code Review
uses: anc95/ChatGPT-CodeReview@main
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }}
with:
openai_engine: gpt-4o
language: en
review_comment_lgtm: false
max_tokens: 4096
prompt: |
You are a senior code reviewer for spawned, a Rust actor framework with support for both async (tokio) and thread-based backends.

Review this PR focusing on:
- Code correctness and potential bugs
- Concurrency issues (race conditions, deadlocks, data races)
- Performance implications
- Rust best practices and idiomatic patterns
- Memory safety and proper error handling
- Code readability and maintainability

Actor framework-specific considerations:
- Actor lifecycle management (init, shutdown, cancellation)
- Message passing correctness and ordering
- Proper use of CancellationToken and graceful shutdown
- Thread safety and synchronization primitives
- Timer and interval handling

Be concise and specific. Provide line references when suggesting changes.
If the code looks good, acknowledge it briefly.
Copy link

@github-actions github-actions bot Jan 28, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review Feedback

  1. Potential Bugs:

    • OpenAI Engine Parameter: The parameter openai_engine: gpt-4o might be a typo as there is no known version like 'gpt-4o'. It should be checked against valid OpenAI engine options.

  2. Risks:

    • Secrets Management: Ensure that GITHUB_TOKEN and OPENAI_API_KEY are set up correctly in the repository secrets. Failure to provide these will lead to a runtime failure.
    • Concurrency Handling: The concurrency setup is good for canceling in-progress jobs, but ensure that this behavior is intended; it could lead to race conditions if not properly managed.

  3. Improvement Suggestions:

    • Versioning Checkout Action: Instead of actions/checkout@v4, consider specifying a more stable version tag (e.g., actions/checkout@v2) to avoid sudden breaking changes when 'v4' is released.
    • Logging and Error Handling: Implement logging around the code review step to capture any errors related to the OpenAI interaction and provide insight during failures.
    • Documentation and Comments: Adding comments in the code and document references to the tools and actions used would benefit maintainability and clarity for future developers.
    • Test Cases: Consider including tests for the workflow to validate different scenarios, including error handling when the OpenAI service is down or unresponsive.

  4. Code Readability: Overall, the structure and flow of the workflow are clear. However, consider using consistent formatting for YAML key-value pairs to enhance readability.

Summary

Due to the potential bug with the 'gpt-4o' engine parameter and other risks identified, I recommend addressing these issues before merging this patch.

61 changes: 61 additions & 0 deletions .github/workflows/pr_review_claude.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,61 @@
name: PR Review - Claude

on:
pull_request:
types: [opened, synchronize, reopened]
pull_request_review_comment:
types: [created]
issue_comment:
types: [created]

permissions:
contents: read
pull-requests: write
issues: write
id-token: write

concurrency:
group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
cancel-in-progress: true

jobs:
claude-review:
name: Claude Code Review
if: |
github.event_name == 'pull_request' ||
(github.event_name == 'issue_comment' && github.event.issue.pull_request && contains(github.event.comment.body, '@claude')) ||
(github.event_name == 'pull_request_review_comment' && contains(github.event.comment.body, '@claude'))
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v4
with:
fetch-depth: 0

- name: Claude Code Review
uses: anthropics/claude-code-action@beta
with:
anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
model: claude-sonnet-4-20250514
trigger_phrase: "@claude"
timeout_minutes: 30
direct_prompt: |
You are a senior code reviewer for spawned, a Rust actor framework with support for both async (tokio) and thread-based backends.

Review this PR focusing on:
- Code correctness and potential bugs
- Concurrency issues (race conditions, deadlocks, data races)
- Performance implications
- Rust best practices and idiomatic patterns
- Memory safety and proper error handling
- Code readability and maintainability

Actor framework-specific considerations:
- Actor lifecycle management (init, shutdown, cancellation)
- Message passing correctness and ordering
- Proper use of CancellationToken and graceful shutdown
- Thread safety and synchronization primitives
- Timer and interval handling

Be concise and specific. Provide line references when suggesting changes.
If the code looks good, acknowledge it briefly.
Copy link

@github-actions github-actions bot Jan 28, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Review of Code Patch:

  1. Event Trigger Logic: The condition that determines when the job runs may be too broad. Specifically, the logic used in the if statement for the job can be prone to erroneously triggering. Ensure that the context in which @claude is specified is strictly related to meaningful content rather than any comment. It would be prudent to add more specific validation on the comments that trigger the workflow.

  2. Permissions: The explicit permissions granted, particularly id-token: write, may pose security risks. Only grant permissions that are necessary for the job execution and review/update the scope of permissions according to the principle of least privilege.

  3. Secrets Management: The use of ${{ secrets.ANTHROPIC_API_KEY }} is a good practice for secret management. However, ensure that secrets are managed and rotated properly to prevent unauthorized access.

  4. Timeout Configuration: The timeout_minutes value is set to 30. Thoroughly assess whether this is an appropriate time limit for the review process. Depending on the size of the codebase being reviewed, this may either lead to premature termination or unnecessarily lengthy waits.

  5. Prompt Clarity: The prompt provided is quite extensive. While being thorough is beneficial, it may overwhelm the review model. Consider breaking down the request into more digestible parts or prioritizing the most critical points.

  6. Action Versioning: It is noted that uses: actions/checkout@v4. Ensure to always check if this is the latest stable version, as using beta or alpha versions in production can lead to instability or unexpected modifications.

  7. Documentation and Comments: It would be beneficial to add comments within the YAML file explaining each section and why certain configurations are set, which would assist future maintainers.

Overall, although the foundation of the code looks promising, the aforementioned risks and areas for improvement need to be addressed before merging.

100 changes: 100 additions & 0 deletions .github/workflows/pr_review_kimi.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,100 @@
name: PR Review - Kimi

on:
pull_request:
types: [opened, synchronize, reopened]

permissions:
contents: read
Copy link

@github-actions github-actions bot Jan 29, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The change made at the modified line uses jq -Rs . to read and sanitize the contents of pr_diff_truncated.txt. Here are my comments:

  1. Correctness & Potential Bugs: The existing change correctly reads the file into a JSON-compatible format by converting it into a raw string. This avoids escape issues with characters when using JSON.

  2. Performance: Using jq -Rs . is efficient for sanitizing string inputs as it ensures characters are appropriately escaped for JSON.

  3. Best Practices: The pattern used here is idiomatic and effectively handles string escaping in JSON.

  4. Memory Safety & Error Handling: There seems to be no direct error handling for the cat command. Consider checking if the file exists and is readable beforehand, or handle potential errors from cat.

  5. Readability & Maintainability: The command substitution reads well. However, for clarity, a comment explaining why jq -Rs . is used would help future maintainers understand its purpose.

Overall, while the code change is small and functionally correct, I'd recommend adding error handling related to file existence and perhaps adding a comment explaining why jq -Rs . is utilized in this context for best maintainability.

Please address these suggestions before merging.

pull-requests: write

concurrency:
group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
cancel-in-progress: true

jobs:
kimi-review:
name: Kimi Code Review
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v4
with:
fetch-depth: 0

- name: Get PR diff
id: diff
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
gh pr diff ${{ github.event.pull_request.number }} > pr_diff.txt
# Truncate if too large (Kimi has context limits)
head -c 100000 pr_diff.txt > pr_diff_truncated.txt

- name: Kimi Code Review
id: kimi_review
env:
KIMI_API_KEY: ${{ secrets.KIMI_API_KEY }}
PR_TITLE: ${{ github.event.pull_request.title }}
run: |
if [ -z "$KIMI_API_KEY" ]; then
echo "Error: KIMI_API_KEY secret is not set" > kimi_review.txt
exit 0
fi

DIFF_CONTENT=$(cat pr_diff_truncated.txt)

# Build the request body
REQUEST_BODY=$(jq -n \
--arg diff "$DIFF_CONTENT" \
--arg title "$PR_TITLE" \
'{
"model": "moonshot-v1-128k",
"messages": [
{
"role": "system",
"content": "You are a senior code reviewer for spawned, a Rust actor framework with support for both async (tokio) and thread-based backends."
},
{
"role": "user",
"content": ("PR Title: " + $title + "\n\nReview this PR focusing on:\n- Code correctness and potential bugs\n- Concurrency issues (race conditions, deadlocks, data races)\n- Performance implications\n- Rust best practices and idiomatic patterns\n- Memory safety and proper error handling\n- Code readability and maintainability\n\nActor framework-specific considerations:\n- Actor lifecycle management (init, shutdown, cancellation)\n- Message passing correctness and ordering\n- Proper use of CancellationToken and graceful shutdown\n- Thread safety and synchronization primitives\n- Timer and interval handling\n\nBe concise and specific. Provide line references when suggesting changes.\nIf the code looks good, acknowledge it briefly.\n\nDiff:\n" + $diff)
}
],
"temperature": 0.3,
"max_tokens": 4096
}')

# Try the API call
HTTP_RESPONSE=$(curl -s -w "\n%{http_code}" https://api.moonshot.ai/v1/chat/completions \
-H "Content-Type: application/json" \
-H "Authorization: Bearer $KIMI_API_KEY" \
-d "$REQUEST_BODY")

HTTP_CODE=$(echo "$HTTP_RESPONSE" | tail -n1)
RESPONSE=$(echo "$HTTP_RESPONSE" | sed '$d')

if [ "$HTTP_CODE" != "200" ]; then
echo "API Error (HTTP $HTTP_CODE): $RESPONSE" > kimi_review.txt
else
# Check for API errors in response
ERROR=$(echo "$RESPONSE" | jq -r '.error.message // empty')
if [ -n "$ERROR" ]; then
echo "API Error: $ERROR" > kimi_review.txt
else
REVIEW=$(echo "$RESPONSE" | jq -r '.choices[0].message.content // "Error: Unexpected API response"')
echo "$REVIEW" > kimi_review.txt
fi
fi

- name: Post review comment
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
REVIEW_CONTENT=$(cat kimi_review.txt)

gh pr comment ${{ github.event.pull_request.number }} --body "## Kimi AI Code Review

$REVIEW_CONTENT

---
*Automated review by Kimi (Moonshot AI)*"
Copy link

@github-actions github-actions bot Jan 28, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Review Comments

  1. Error Handling:

    • In the 'Kimi Code Review' step, if the KIMI_API_KEY is not set, you echo an error message and exit 0. This does not effectively stop the action as exit 0 indicates success. It would be better to use exit 1 to signal failure.

  2. Truncation Logic:

    • The truncation of the diff to 100,000 bytes is a good precaution, but ensure that this limit is appropriate for your use case. If important information is cut off, the review may miss critical context.
    • Consider adding a warning message if truncation occurs, so that users are aware that the review might be incomplete.

  3. HTTP Response Check:

    • Check that the HTTP response from the API is valid JSON before attempting to parse it using jq. A malformed JSON can lead to the step failing without a clear error message.

  4. Hardcoded API URL:

    • The API endpoint https://api.moonshot.ai/v1/chat/completions is hardcoded. If the API URL changes in the future, all users will need to modify their workflows. Consider moving this to a config variable, allowing for easier updates.

  5. Sensitive Data:

    • Ensure that the debug information does not accidentally expose sensitive information like KIMI_API_KEY. Even in error messages or logs, this should be kept hidden.

  6. Review Comment Formatting:

    • When creating the review comment body, consider that a very large review message may be cut off visually in the GitHub interface. Ensure the output of kimi_review.txt is concise enough for users to easily read.

  7. Environment Variables Visibility:

    • You are using environment variables directly in the run steps. Ensure that any sensitive values are operated under secure contexts to avoid accidental exposure in logs.

Conclusion

These points indicate there are potential bugs and risks associated with the current implementation that need to be addressed before merging.

Loading