docs/guides/github-pr-review-bot.mdx
Before starting, ensure you have:
You can remix the default review bot configuration at continue.dev/continuedev/review-bot to create your own personalized version with custom prompts, rules, and behaviors. </Info>
Navigate to your repository settings: **Settings → Secrets and variables → Actions**
**Required Secrets:**
- `CONTINUE_API_KEY` - Your Continue API key from [continue.dev/settings/api-keys](https://continue.dev/settings/api-keys)
**Optional (for better permissions):**
- **Variables** tab: `APP_ID` - GitHub App ID (for enhanced API rate limits)
- **Secrets** tab: `APP_PRIVATE_KEY` - GitHub App private key
<Accordion title="Setting up a GitHub App (Optional but Recommended)">
For better rate limits and permissions, create a GitHub App:
1. Go to Settings → Developer settings → GitHub Apps → New GitHub App
2. Set permissions:
- **Contents**: Read
- **Pull Requests**: Write
- **Issues**: Write
3. Generate a private key
4. Install the app on your repository
5. Add `APP_ID` as a repository **variable** (Variables tab)
6. Add `APP_PRIVATE_KEY` as a repository **secret** (Secrets tab)
Without a GitHub App, the action will use the default `GITHUB_TOKEN`.
</Accordion>
Create a GitHub Actions workflow file at `.github/workflows/code-review.yml` with the provided configuration.
name: Continue Code Review
on:
pull_request:
types: [opened, synchronize, ready_for_review]
issue_comment:
types: [created]
permissions:
contents: read
pull-requests: write
issues: write
jobs:
review:
runs-on: ubuntu-latest
# Only run on PRs or when @review-bot is mentioned
if: |
github.event_name == 'pull_request' ||
(github.event_name == 'issue_comment' && contains(github.event.comment.body, '@review-bot'))
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0 # Full history for better context
# Optional: Use GitHub App token for better rate limits
- name: Generate App Token
id: app-token
if: vars.APP_ID != ''
uses: actions/create-github-app-token@v1
with:
app-id: ${{ vars.APP_ID }}
private-key: ${{ secrets.APP_PRIVATE_KEY }}
- name: Setup Node.js
uses: actions/setup-node@v4
with:
node-version: '20'
- name: Install Continue CLI
run: npm i -g @continuedev/cli
- name: Get Pull Request Details
id: pr
env:
GH_TOKEN: ${{ steps.app-token.outputs.token || github.token }}
run: |
# Get pull request number and details
if [ "${{ github.event_name }}" = "pull_request" ]; then
PR_NUMBER=${{ github.event.pull_request.number }}
else
PR_NUMBER=$(jq -r .issue.number "$GITHUB_EVENT_PATH")
fi
echo "pr_number=$PR_NUMBER" >> $GITHUB_OUTPUT
# Get pull request diff
gh pr diff $PR_NUMBER > pr.diff
# Get changed files
gh pr view $PR_NUMBER --json files -q '.files[].path' > changed_files.txt
- name: Run Continue Review
env:
CONTINUE_API_KEY: ${{ secrets.CONTINUE_API_KEY }}
GH_TOKEN: ${{ steps.app-token.outputs.token || github.token }}
run: |
# Check if custom rules exist
if [ -d ".continue/rules" ]; then
echo "📋 Found custom rules in .continue/rules/"
RULES_CONTEXT="Apply the custom rules found in .continue/rules/ directory."
else
echo "ℹ️ No custom rules found. Using general best practices."
RULES_CONTEXT="Review for general best practices, security issues, and code quality."
fi
# Build review prompt
PROMPT="Review this pull request with the following context:
## Changed Files
$(cat changed_files.txt)
## Diff
\`\`\`diff
$(cat pr.diff)
\`\`\`
## Instructions
$RULES_CONTEXT
Provide:
1. A brief summary of changes
2. Key findings (potential issues, security concerns, suggestions)
3. Positive observations (good practices, improvements)
4. Specific actionable recommendations
Format as markdown suitable for a GitHub pull request comment."
# Run Continue CLI in headless mode
cn --config continuedev/review-bot \
-p "$PROMPT" \
--auto > review_output.md
- name: Post Review Comment
env:
GH_TOKEN: ${{ steps.app-token.outputs.token || github.token }}
run: |
# Add header
cat > review_comment.md <<'EOF'
## 🤖 AI Code Review
EOF
# Add review content
cat review_output.md >> review_comment.md
# Add footer
cat >> review_comment.md <<'EOF'
---
*Powered by [Continue](https://continue.dev) • Need a focused review? Comment `@review-bot check for [specific concern]`*
EOF
# Check for existing review comment
EXISTING_COMMENT=$(gh pr view ${{ steps.pr.outputs.pr_number }} \
--json comments -q '.comments[] | select(.body | contains("🤖 AI Code Review")) | .id' | head -1)
if [ -n "$EXISTING_COMMENT" ]; then
echo "Updating existing comment..."
gh api --method PATCH \
"repos/${{ github.repository }}/issues/comments/$EXISTING_COMMENT" \
-f body="$(cat review_comment.md)"
else
echo "Creating new comment..."
gh pr comment ${{ steps.pr.outputs.pr_number }} \
--body-file review_comment.md
fi
Define your team's standards in .continue/rules/:
Create .continue/rules/security.md:
---
globs: "**/*.{ts,tsx,js,jsx,py}"
description: "Security Review Standards"
alwaysApply: true
---
# Security Checklist
- No hardcoded credentials, API keys, or secrets
- All user inputs are validated and sanitized
- SQL queries use parameterization (no string concatenation)
- Authentication and authorization checks are in place
- Sensitive data is properly encrypted
- Error messages don't leak sensitive information
---
globs: "**/*.{ts,tsx}"
description: "TypeScript Best Practices"
---
# TypeScript Standards
- Use strict type checking (avoid `any` types)
- Prefer interfaces for object shapes
- Use proper error handling with typed errors
- Document complex types with JSDoc comments
- Export types for public APIs
- Use const assertions where appropriate
---
globs: "**/*.{test,spec}.{ts,tsx,js,jsx}"
description: "Testing Requirements"
---
# Testing Guidelines
- Write tests for new features and bug fixes
- Test both happy paths and error conditions
- Use descriptive test names that explain intent
- Keep tests focused and isolated (no shared state)
- Mock external dependencies
- Aim for meaningful assertions, not coverage metrics
---
globs: "**/*.py"
description: "Python Code Standards"
---
# Python Best Practices
- Follow PEP 8 style guidelines
- Use type hints for function signatures
- Write docstrings for public functions/classes
- Use context managers for resource management
- Prefer list comprehensions for simple transformations
- Handle exceptions explicitly, avoid bare except
The workflow follows these steps:
.continue/rules/Comment on any pull request to trigger focused reviews:
@review-bot check for security issues
@review-bot review the TypeScript types
@review-bot explain the architecture changes
@review-bot focus on error handling
The workflow will respond with a targeted review based on your request.
By default, the workflow uses the continuedev/review-bot config optimized for code reviews. Replace continuedev/review-bot with your own config:
- name: Run Continue Review
env:
CONTINUE_API_KEY: ${{ secrets.CONTINUE_API_KEY }}
CONTINUE_ORG: your-org-name # Add your org
CONTINUE_CONFIG: username/config-name # Add your config
run: |
cn --config $CONTINUE_ORG/$CONTINUE_CONFIG \
-p "$PROMPT" \
--auto > review_output.md
Store CONTINUE_ORG and CONTINUE_CONFIG as repository variables for easy updates.
</Tab>
<Tab title="Filter by File Types">
Only review specific file types in pull requests:
on:
pull_request:
types: [opened, synchronize, ready_for_review]
paths:
- '**.ts'
- '**.tsx'
- '**.py'
- '**.go'
Skip large pull requests that would be expensive to review:
- name: Check PR Size
id: size-check
env:
GH_TOKEN: ${{ steps.app-token.outputs.token || github.token }}
run: |
ADDITIONS=$(gh pr view ${{ steps.pr.outputs.pr_number }} --json additions -q .additions)
DELETIONS=$(gh pr view ${{ steps.pr.outputs.pr_number }} --json deletions -q .deletions)
TOTAL=$((ADDITIONS + DELETIONS))
if [ $TOTAL -gt 1000 ]; then
echo "skip=true" >> $GITHUB_OUTPUT
echo "⚠️ Pull request too large for automatic review ($TOTAL lines changed)"
else
echo "skip=false" >> $GITHUB_OUTPUT
fi
- name: Run Continue Review
if: steps.size-check.outputs.skip != 'true'
# ... rest of review step
Here's what a typical review comment looks like:
🤖 AI Code Review
Summary
This pull request introduces a new user authentication system with JWT tokens and password hashing. The implementation follows security best practices with a few minor suggestions.
Key Findings
Security ✅
- Password hashing properly implemented with bcrypt
- JWT tokens include appropriate expiry
- Input validation present for all endpoints
Code Quality 💡
- Consider adding rate limiting to login endpoint
- The
secretKeyshould be loaded from environment variables, not hardcoded- Add unit tests for token expiration edge cases
Positive Observations
- Good separation of concerns with middleware pattern
- Clear error messages for authentication failures
- Proper async/await usage throughout
Recommendations
- Move
secretKeyto environment variables (see.continue/rules/security.md)- Add rate limiting middleware to prevent brute force attacks
- Consider adding integration tests for the auth flow
- Document the JWT payload structure
Powered by Continue • Need a focused review? Comment
@review-bot check for security
After completing this setup, you have an AI-powered code review system that:
Share your pull request review bot configuration:
#ContinueDev