Create detailed review bot using 'cn' #7106
Conversation
|
AI Code ReviewFailed to generate review No specific line comments generated. |
Code Review Summary✅ Strengths
|
AI Code ReviewFailed to generate review No specific line comments generated. |
This comment was marked as resolved.
This comment was marked as resolved.
Sorry, something went wrong.
Code Review Summary✅ Strengths
|
| # Validate JSON output | ||
| if ! jq empty inline_review.json 2>/dev/null; then | ||
| echo "Invalid JSON output from Continue CLI" | ||
| echo "{\"review_summary\": \"Failed to generate review\", \"comments\": []}" > inline_review.json |
There was a problem hiding this comment.
Security concern: CONTINUE_API_KEY is exposed as an environment variable. Consider using GitHub's built-in secret masking and ensure the CLI properly handles sensitive data.
| run: | | ||
| echo "Running Continue CLI for inline review..." | ||
| # Run the CLI and capture JSON output |
There was a problem hiding this comment.
Command injection vulnerability: Using cat inline_review_prompt.txt | cn with dynamic content could be exploited if the prompt contains malicious shell commands. Consider using file input parameters instead.
| with: | ||
| node-version: 20 | ||
|
|
||
| - name: Install Continue CLI |
There was a problem hiding this comment.
Version pinning: Using '@latest' for the Continue CLI install creates unpredictable builds. Pin to a specific version like in the other workflow.
| # Log the output for debugging | ||
| echo "Continue CLI output:" | ||
| cat inline_review.json |
There was a problem hiding this comment.
Error handling: If Continue CLI fails or times out, the workflow continues silently. Add proper error checking and exit codes.
| echo "Continue CLI output:" | ||
| cat inline_review.json | ||
| # Validate JSON output |
There was a problem hiding this comment.
JSON validation issue: The fallback JSON structure may not match the expected schema. Ensure the fallback maintains the same structure as successful responses.
| const commitSha = pr.head.sha; | ||
| // Prepare review comments | ||
| const comments = reviewData.comments?.map(comment => ({ |
There was a problem hiding this comment.
Default value issue: Using comment.line || 1 as fallback could place comments on wrong lines. Validate line numbers against the actual diff.
.github/pull_request_template.md
Outdated
| ## AI Code Review | ||
|
|
||
| - **Team members only**: AI review runs automatically when PR is opened or marked ready for review | ||
| - Team members can also trigger a review by commenting `@continue-review` |
There was a problem hiding this comment.
Inconsistency: The template mentions '@continue-review' but the inline workflow looks for '@continue-inline-review'. Ensure trigger commands match between documentation and implementation.
| steps: | ||
| - name: Checkout Repository | ||
| uses: actions/checkout@v4 | ||
| with: |
There was a problem hiding this comment.
Resource inefficiency: Fetching full git history (fetch-depth: 0) is unnecessary for code review. Consider using a smaller depth or the default shallow clone.
| name: code-review-results | ||
| path: | | ||
| code_review.md | ||
| review_prompt.txt |
There was a problem hiding this comment.
File size check: Large review outputs could cause GitHub API limits. Add file size validation before posting comments.
| Important: | ||
| - Output ONLY valid JSON, no additional text | ||
| - Ensure line numbers match the actual diff | ||
| - Comment on the most important issues first |
There was a problem hiding this comment.
Limit enforcement: The comment about 'maximum 20 comments' is not enforced in code. Add validation to truncate excessive comments.
Code Review Summary✅ Strengths
|
There was a problem hiding this comment.
cubic analysis
8 issues found across 3 files • Review in cubic
React with 👍 or 👎 to teach cubic. You can also tag @cubic-dev-ai to give feedback, ask questions, or re-run the review.
| echo "Running Continue CLI for inline review..." | ||
| # Run the CLI and capture JSON output | ||
| cat inline_review_prompt.txt | cn --readonly --format json --org continuedev --config continuedev/review-bot -p > inline_review.json |
There was a problem hiding this comment.
If the Continue CLI exits non-zero (e.g., missing CONTINUE_API_KEY or transient error), this step will fail and the workflow will stop before the JSON validation fallback. Add a fallback to produce a minimal JSON so later steps can proceed.
Prompt for AI agents
Address the following comment on .github/workflows/continue-inline-review.yaml at line 120:
<comment>If the Continue CLI exits non-zero (e.g., missing CONTINUE_API_KEY or transient error), this step will fail and the workflow will stop before the JSON validation fallback. Add a fallback to produce a minimal JSON so later steps can proceed.</comment>
<file context>
@@ -0,0 +1,243 @@
+name: Continue CLI Inline Code Review
+
+on:
+ pull_request:
+ types: [opened, ready_for_review]
+ issue_comment:
+ types: [created]
+
+permissions:
</file context>
| cat inline_review_prompt.txt | cn --readonly --format json --org continuedev --config continuedev/review-bot -p > inline_review.json | |
| cat inline_review_prompt.txt | cn --readonly --format json --org continuedev --config continuedev/review-bot -p > inline_review.json || echo '{"review_summary": "Failed to generate review", "comments": []}' > inline_review.json |
| const commitSha = pr.head.sha; | ||
| // Prepare review comments | ||
| const comments = reviewData.comments?.map(comment => ({ |
There was a problem hiding this comment.
Review comments passed to pulls.createReview should use the position field (diff position), not line. Using line will cause the API call to fail and prevent inline comments from being created.
Prompt for AI agents
Address the following comment on .github/workflows/continue-inline-review.yaml at line 172:
<comment>Review comments passed to pulls.createReview should use the position field (diff position), not line. Using line will cause the API call to fail and prevent inline comments from being created.</comment>
<file context>
@@ -0,0 +1,243 @@
+name: Continue CLI Inline Code Review
+
+on:
+ pull_request:
+ types: [opened, ready_for_review]
+ issue_comment:
+ types: [created]
+
+permissions:
</file context>
|
|
||
| on: | ||
| pull_request: | ||
| types: [opened, ready_for_review] |
There was a problem hiding this comment.
PR updates won’t trigger this workflow because the synchronize event type is missing. Add it so new commits re-run the review automatically.
Prompt for AI agents
Address the following comment on .github/workflows/continue-review.yaml at line 5:
<comment>PR updates won’t trigger this workflow because the synchronize event type is missing. Add it so new commits re-run the review automatically.</comment>
<file context>
@@ -0,0 +1,186 @@
+name: Continue CLI Code Review
+
+on:
+ pull_request:
+ types: [opened, ready_for_review]
+ issue_comment:
+ types: [created]
</file context>
|
|
||
| permissions: | ||
| contents: read | ||
| pull-requests: write |
There was a problem hiding this comment.
pull-requests permission is set to write, which is broader than necessary. Use read to follow least-privilege and reduce blast radius if the token is misused.
Prompt for AI agents
Address the following comment on .github/workflows/continue-review.yaml at line 11:
<comment>pull-requests permission is set to write, which is broader than necessary. Use read to follow least-privilege and reduce blast radius if the token is misused.</comment>
<file context>
@@ -0,0 +1,186 @@
+name: Continue CLI Code Review
+
+on:
+ pull_request:
+ types: [opened, ready_for_review]
+ issue_comment:
+ types: [created]
+
+permissions:
</file context>
| // Prepare review comments | ||
| const comments = reviewData.comments?.map(comment => ({ | ||
| path: comment.path, | ||
| line: comment.line || 1, |
There was a problem hiding this comment.
Avoid defaulting to line 1 when a comment lacks a valid line number; this can attach feedback to the wrong location. Validate and discard entries without a valid line or resolve positions against the PR diff before posting.
Prompt for AI agents
Address the following comment on .github/workflows/continue-inline-review.yaml at line 174:
<comment>Avoid defaulting to line 1 when a comment lacks a valid line number; this can attach feedback to the wrong location. Validate and discard entries without a valid line or resolve positions against the PR diff before posting.</comment>
<file context>
@@ -0,0 +1,243 @@
+name: Continue CLI Inline Code Review
+
+on:
+ pull_request:
+ types: [opened, ready_for_review]
+ issue_comment:
+ types: [created]
+
+permissions:
</file context>
| node-version: 20 | ||
|
|
||
| - name: Install Continue CLI | ||
| run: npm install -g @continuedev/cli@latest |
There was a problem hiding this comment.
The two workflows use inconsistent dependency management for the @continuedev/cli package. continue-inline-review.yaml installs @latest, which can lead to unexpected workflow failures due to breaking changes in the CLI. continue-review.yaml pins the version to 1.4.25, which is more stable. For consistency and reliability, both workflows should pin to a specific version of the CLI.
Prompt for AI agents
Address the following comment on .github/workflows/continue-inline-review.yaml at line 46:
<comment>The two workflows use inconsistent dependency management for the `@continuedev/cli` package. `continue-inline-review.yaml` installs `@latest`, which can lead to unexpected workflow failures due to breaking changes in the CLI. `continue-review.yaml` pins the version to `1.4.25`, which is more stable. For consistency and reliability, both workflows should pin to a specific version of the CLI.</comment>
<file context>
@@ -0,0 +1,243 @@
+name: Continue CLI Inline Code Review
+
+on:
+ pull_request:
+ types: [opened, ready_for_review]
+ issue_comment:
+ types: [created]
+
+permissions:
</file context>
| run: npm install -g @continuedev/cli@latest | |
| run: npm install -g @continuedev/cli@1.4.25 |
| # Only run if: | ||
| # - It's a PR event from a team member (with write/admin permissions) | ||
| # - OR it's a comment with @continue-review on a PR from a team member | ||
| if: | |
There was a problem hiding this comment.
The job execution condition is almost entirely duplicated between continue-review.yaml and continue-inline-review.yaml. This violates the DRY principle. This shared logic for checking permissions based on author_association should be extracted into a reusable workflow (workflow_call) to avoid code duplication and improve maintainability. Any future changes to permission logic would only need to be made in one place.
Prompt for AI agents
Address the following comment on .github/workflows/continue-review.yaml at line 22:
<comment>The job execution condition is almost entirely duplicated between `continue-review.yaml` and `continue-inline-review.yaml`. This violates the DRY principle. This shared logic for checking permissions based on `author_association` should be extracted into a reusable workflow (`workflow_call`) to avoid code duplication and improve maintainability. Any future changes to permission logic would only need to be made in one place.</comment>
<file context>
@@ -0,0 +1,186 @@
+name: Continue CLI Code Review
+
+on:
+ pull_request:
+ types: [opened, ready_for_review]
+ issue_comment:
+ types: [created]
+
+permissions:
</file context>
.github/pull_request_template.md
Outdated
| ## AI Code Review | ||
|
|
||
| - **Team members only**: AI review runs automatically when PR is opened or marked ready for review | ||
| - Team members can also trigger a review by commenting `@continue-review` |
There was a problem hiding this comment.
Clarify the trigger commands in the PR template to cover both general and inline review triggers so contributors know how to start each workflow.
Prompt for AI agents
Address the following comment on .github/pull_request_template.md at line 8:
<comment>Clarify the trigger commands in the PR template to cover both general and inline review triggers so contributors know how to start each workflow.</comment>
<file context>
@@ -2,6 +2,11 @@
[ What changed? Feel free to be brief. ]
+## AI Code Review
+
+- **Team members only**: AI review runs automatically when PR is opened or marked ready for review
+- Team members can also trigger a review by commenting `@continue-review`
+
## Checklist
</file context>
| - Team members can also trigger a review by commenting `@continue-review` | |
| - Team members can also trigger a review by commenting `@continue-review` or `@continue-inline-review` |
There was a problem hiding this comment.
cubic analysis
11 issues found across 3 files • Review in cubic
React with 👍 or 👎 to teach cubic. You can also tag @cubic-dev-ai to give feedback, ask questions, or re-run the review.
| @@ -0,0 +1,243 @@ | |||
| name: Continue CLI Inline Code Review | |||
There was a problem hiding this comment.
The two new workflow files, continue-inline-review.yaml and continue-review.yaml, contain a significant amount of duplicated configuration and logic. This includes triggers, permissions, environment setup, and conditional execution logic. This violates the DRY (Don't Repeat Yourself) principle, leading to increased maintenance overhead and potential for inconsistencies. A better approach would be to use GitHub Actions' reusable workflows to share the common setup and execution steps.
Prompt for AI agents
Address the following comment on .github/workflows/continue-inline-review.yaml at line 1:
<comment>The two new workflow files, `continue-inline-review.yaml` and `continue-review.yaml`, contain a significant amount of duplicated configuration and logic. This includes triggers, permissions, environment setup, and conditional execution logic. This violates the DRY (Don't Repeat Yourself) principle, leading to increased maintenance overhead and potential for inconsistencies. A better approach would be to use GitHub Actions' reusable workflows to share the common setup and execution steps.</comment>
<file context>
@@ -0,0 +1,243 @@
+name: Continue CLI Inline Code Review
+
+on:
</file context>
| node-version: 20 | ||
|
|
||
| - name: Install Continue CLI | ||
| run: npm install -g @continuedev/cli@1.4.25 |
There was a problem hiding this comment.
There is an inconsistency in the versioning of @continuedev/cli between the two new workflows. This workflow pins the version to 1.4.25, while continue-inline-review.yaml uses @latest. Using @latest can introduce non-deterministic behavior and potential breakages into the workflow when new versions are released. All workflows should use a consistent, pinned version of the CLI to ensure stability and predictable execution.
Prompt for AI agents
Address the following comment on .github/workflows/continue-review.yaml at line 46:
<comment>There is an inconsistency in the versioning of `@continuedev/cli` between the two new workflows. This workflow pins the version to `1.4.25`, while `continue-inline-review.yaml` uses `@latest`. Using `@latest` can introduce non-deterministic behavior and potential breakages into the workflow when new versions are released. All workflows should use a consistent, pinned version of the CLI to ensure stability and predictable execution.</comment>
<file context>
@@ -0,0 +1,186 @@
+name: Continue CLI Code Review
+
+on:
+ pull_request:
+ types: [opened, ready_for_review]
+ issue_comment:
+ types: [created]
+
+permissions:
</file context>
| run: npm install -g @continuedev/cli@1.4.25 | |
| run: npm install -g @continuedev/cli@latest |
| # - It's a PR event from a team member (with write/admin permissions) | ||
| # - OR it's a comment with @continue-inline-review on a PR from a team member | ||
| if: > | ||
| (github.event_name == 'pull_request' && |
There was a problem hiding this comment.
Draft pull requests will trigger a review on the opened event because there’s no draft check in the condition. This can produce premature reviews before the PR is ready.
Prompt for AI agents
Address the following comment on .github/workflows/continue-inline-review.yaml at line 23:
<comment>Draft pull requests will trigger a review on the opened event because there’s no draft check in the condition. This can produce premature reviews before the PR is ready.</comment>
<file context>
@@ -0,0 +1,243 @@
+name: Continue CLI Inline Code Review
+
+on:
+ pull_request:
+ types: [opened, ready_for_review]
+ issue_comment:
+ types: [created]
+
+permissions:
</file context>
| (github.event_name == 'pull_request' && | |
| (github.event_name == 'pull_request' && !github.event.pull_request.draft && |
| Guidelines for comments: | ||
| - Be specific and actionable | ||
| - Reference the exact line number from the diff |
There was a problem hiding this comment.
Prompt instructs the model to use diff-relative line numbers, but the API usage expects either file line numbers (with side) or patch positions. This mismatch can lead to invalid annotations. Clarify that comments should reference file line numbers on the head commit (RIGHT side) or provide patch positions if you switch to using position.
Prompt for AI agents
Address the following comment on .github/workflows/continue-inline-review.yaml at line 100:
<comment>Prompt instructs the model to use diff-relative line numbers, but the API usage expects either file line numbers (with side) or patch positions. This mismatch can lead to invalid annotations. Clarify that comments should reference file line numbers on the head commit (RIGHT side) or provide patch positions if you switch to using position.</comment>
<file context>
@@ -0,0 +1,243 @@
+name: Continue CLI Inline Code Review
+
+on:
+ pull_request:
+ types: [opened, ready_for_review]
+ issue_comment:
+ types: [created]
+
+permissions:
</file context>
| - Reference the exact line number from the diff | |
| - Reference the exact file line number on the RIGHT side (in the head commit), not the diff position |
|
|
||
| on: | ||
| pull_request: | ||
| types: [opened, ready_for_review] |
There was a problem hiding this comment.
Workflow won’t run on new commits pushed to existing PRs because the synchronize action isn’t included. This limits usefulness of the reviewer after initial open/ready events.
Prompt for AI agents
Address the following comment on .github/workflows/continue-inline-review.yaml at line 5:
<comment>Workflow won’t run on new commits pushed to existing PRs because the synchronize action isn’t included. This limits usefulness of the reviewer after initial open/ready events.</comment>
<file context>
@@ -0,0 +1,243 @@
+name: Continue CLI Inline Code Review
+
+on:
+ pull_request:
+ types: [opened, ready_for_review]
+ issue_comment:
+ types: [created]
</file context>
| types: [opened, ready_for_review] | |
| types: [opened, ready_for_review, synchronize] |
|
|
||
| on: | ||
| pull_request: | ||
| types: [opened, ready_for_review] |
There was a problem hiding this comment.
Category: Maintainability — Missing synchronize in pull_request types means the review will not run when new commits are pushed to an existing PR, reducing usefulness and requiring manual comment triggers.
Prompt for AI agents
Address the following comment on .github/workflows/continue-review.yaml at line 5:
<comment>Category: Maintainability — Missing synchronize in pull_request types means the review will not run when new commits are pushed to an existing PR, reducing usefulness and requiring manual comment triggers.</comment>
<file context>
@@ -0,0 +1,186 @@
+name: Continue CLI Code Review
+
+on:
+ pull_request:
+ types: [opened, ready_for_review]
+ issue_comment:
+ types: [created]
</file context>
| github.event.pull_request.author_association == 'COLLABORATOR')) || | ||
| (github.event_name == 'issue_comment' && | ||
| github.event.issue.pull_request && | ||
| contains(github.event.comment.body, '@continue-review') && |
There was a problem hiding this comment.
Category: Security — The issue_comment branch does not verify that the PR author is a team member, despite the comment stating it should. This allows team members to trigger reviews (and send diffs to external services) on PRs from external contributors, which may violate your intended policy and least-privilege expectations.
Prompt for AI agents
Address the following comment on .github/workflows/continue-review.yaml at line 29:
<comment>Category: Security — The issue_comment branch does not verify that the PR author is a team member, despite the comment stating it should. This allows team members to trigger reviews (and send diffs to external services) on PRs from external contributors, which may violate your intended policy and least-privilege expectations.</comment>
<file context>
@@ -0,0 +1,186 @@
+name: Continue CLI Code Review
+
+on:
+ pull_request:
+ types: [opened, ready_for_review]
+ issue_comment:
+ types: [created]
+
+permissions:
</file context>
| const commitSha = pr.head.sha; | ||
| // Prepare review comments | ||
| const comments = reviewData.comments?.map(comment => ({ |
There was a problem hiding this comment.
Enforce the stated limit of a maximum of 20 inline comments to prevent flooding the PR. Truncate the comments array before posting to ensure only the most relevant items are submitted.
Prompt for AI agents
Address the following comment on .github/workflows/continue-inline-review.yaml at line 172:
<comment>Enforce the stated limit of a maximum of 20 inline comments to prevent flooding the PR. Truncate the comments array before posting to ensure only the most relevant items are submitted.</comment>
<file context>
@@ -0,0 +1,243 @@
+name: Continue CLI Inline Code Review
+
+on:
+ pull_request:
+ types: [opened, ready_for_review]
+ issue_comment:
+ types: [created]
+
+permissions:
</file context>
| const comments = reviewData.comments?.map(comment => ({ | |
| const comments = (reviewData.comments || []).slice(0, 20).map(comment => ({ |
| // Prepare review comments | ||
| const comments = reviewData.comments?.map(comment => ({ | ||
| path: comment.path, | ||
| line: comment.line || 1, |
There was a problem hiding this comment.
Do not default missing line numbers to 1 when creating review comments; this can attach comments to incorrect lines. Validate that the line is present and within the diff, and skip or correct entries with invalid line numbers to avoid misplacement.
Prompt for AI agents
Address the following comment on .github/workflows/continue-inline-review.yaml at line 174:
<comment>Do not default missing line numbers to 1 when creating review comments; this can attach comments to incorrect lines. Validate that the line is present and within the diff, and skip or correct entries with invalid line numbers to avoid misplacement.</comment>
<file context>
@@ -0,0 +1,243 @@
+name: Continue CLI Inline Code Review
+
+on:
+ pull_request:
+ types: [opened, ready_for_review]
+ issue_comment:
+ types: [created]
+
+permissions:
</file context>
| node-version: 20 | ||
|
|
||
| - name: Install Continue CLI | ||
| run: npm install -g @continuedev/cli@latest |
There was a problem hiding this comment.
Pin the Continue CLI version instead of using "@latest" to ensure deterministic behavior across runs and avoid unexpected breaking changes. Align the version with the other workflow for consistency.
Prompt for AI agents
Address the following comment on .github/workflows/continue-inline-review.yaml at line 46:
<comment>Pin the Continue CLI version instead of using "@latest" to ensure deterministic behavior across runs and avoid unexpected breaking changes. Align the version with the other workflow for consistency.</comment>
<file context>
@@ -0,0 +1,243 @@
+name: Continue CLI Inline Code Review
+
+on:
+ pull_request:
+ types: [opened, ready_for_review]
+ issue_comment:
+ types: [created]
+
+permissions:
</file context>
| run: npm install -g @continuedev/cli@latest | |
| run: npm install -g @continuedev/cli@1.4.25 |
|
@continue-review hello |
|
Triggered by @tomasz-stefaniak's request Code Review Summary✅ Strengths
|
tingwai
left a comment
There was a problem hiding this comment.
Just one thing, looks great otherwise!
| // Prepare review comments | ||
| const comments = reviewData.comments?.map(comment => ({ | ||
| path: comment.path, | ||
| line: comment.line || 1, |
There was a problem hiding this comment.
+1 to cubic comments, looking at the docs maybe it should fallback to position since there'll always be a position=1 in a change
There was a problem hiding this comment.
This PR adds a new detailed code review workflow that provides inline comments on specific lines of code. The implementation is well-structured and follows GitHub Actions best practices. The main suggestions are around error handling improvements and workflow efficiency.
| with: | ||
| node-version: 20 | ||
|
|
||
| - name: Install Continue CLI |
There was a problem hiding this comment.
Consider pinning the Continue CLI to a specific SHA hash instead of just version for better security and reproducibility: npm install -g @continuedev/cli@1.4.25#<commit-sha>
|
|
||
| - name: Run Continue CLI Inline Review | ||
| run: | | ||
| echo "Running Continue CLI for inline review..." |
There was a problem hiding this comment.
Add error handling for the Continue CLI execution. If the command fails, the workflow should exit gracefully: cat inline_review_prompt.txt | cn --readonly --format json --org continuedev --config continuedev/review-bot -p > inline_review.json || { echo '{"review_summary": "CLI execution failed", "comments": []}' > inline_review.json; exit 1; }
| Guidelines for comments: | ||
| - Be specific and actionable | ||
| - Reference the exact line number from the diff | ||
| - Keep comments concise but informative |
There was a problem hiding this comment.
The comment references 'LEFT' for removed lines, but PR review comments can only be placed on lines that exist in the diff. Consider removing this guideline or clarifying that LEFT comments should be placed on nearby context lines.
| issues: write | ||
|
|
||
| jobs: | ||
| detailed-code-review: |
There was a problem hiding this comment.
Consider reducing the timeout from 10 minutes to 5 minutes for the detailed review job, as it should complete faster than a general review.
| pull_number: prNumber | ||
| }); | ||
| const commitSha = pr.head.sha; |
There was a problem hiding this comment.
Add validation for the comment fields to ensure they are within GitHub's limits (e.g., body length < 65536 characters) before attempting to create the review.
| # Validate JSON output | ||
| if ! jq empty inline_review.json 2>/dev/null; then | ||
| echo "Invalid JSON output from Continue CLI" | ||
| echo "{\"review_summary\": \"Failed to generate review\", \"comments\": []}" > inline_review.json |
There was a problem hiding this comment.
Missing error handling for the Continue API key. Add a check to ensure the secret exists: if [ -z "$CONTINUE_API_KEY" ]; then echo "Error: CONTINUE_API_KEY not set"; exit 1; fi
There was a problem hiding this comment.
cubic analysis
2 issues found across 3 files • Review in cubic
React with 👍 or 👎 to teach cubic. You can also tag @cubic-dev-ai to give feedback, ask questions, or re-run the review.
| steps: | ||
| - name: Checkout Repository | ||
| uses: actions/checkout@v4 |
There was a problem hiding this comment.
Pin GitHub Actions to a specific commit SHA instead of a version tag to reduce supply‑chain risk.
Prompt for AI agents
Address the following comment on .github/workflows/continue-detailed-review.yaml at line 36:
<comment>Pin GitHub Actions to a specific commit SHA instead of a version tag to reduce supply‑chain risk.</comment>
<file context>
@@ -0,0 +1,250 @@
+name: Continue Detailed Review
+
+on:
+ pull_request:
+ types: [opened, ready_for_review]
+ issue_comment:
+ types: [created]
+
+permissions:
</file context>
| echo "Running Continue CLI for inline review..." | ||
| # Run the CLI and capture JSON output | ||
| cat inline_review_prompt.txt | cn --readonly --format json --org continuedev --config continuedev/review-bot -p > inline_review.json |
There was a problem hiding this comment.
If the cn command fails, the step will exit due to bash -e -o pipefail and later steps won’t run. Add a fallback so the job can continue and post a summary.
Prompt for AI agents
Address the following comment on .github/workflows/continue-detailed-review.yaml at line 120:
<comment>If the cn command fails, the step will exit due to bash -e -o pipefail and later steps won’t run. Add a fallback so the job can continue and post a summary.</comment>
<file context>
@@ -0,0 +1,250 @@
+name: Continue Detailed Review
+
+on:
+ pull_request:
+ types: [opened, ready_for_review]
+ issue_comment:
+ types: [created]
+
+permissions:
</file context>
There was a problem hiding this comment.
This PR introduces a new detailed code review workflow that provides inline comments on specific lines of code. The implementation is well-structured with proper error handling and fallback mechanisms. The main concerns are around security (using pinned action versions), performance considerations for large PRs, and some workflow condition improvements.
| with: | ||
| node-version: 20 | ||
|
|
||
| - name: Install Continue CLI |
There was a problem hiding this comment.
Good practice using SHA pinning for the checkout action. This improves security by preventing potential supply chain attacks.
| run: | | ||
| # Get PR number based on event type | ||
| if [ "${{ github.event_name }}" = "pull_request" ]; then | ||
| PR_NUMBER="${{ github.event.number }}" |
There was a problem hiding this comment.
Consider pinning the actions/setup-node version with a commit SHA for consistency with the security practice used for checkout action: uses: actions/setup-node@1a4442cacd436585916779262731d5b162bc6ec7 # v4
| # For issue_comment event on a PR | ||
| PR_NUMBER="${{ github.event.issue.number }}" | ||
| fi | ||
There was a problem hiding this comment.
Security consideration: Pinning the Continue CLI version is good, but consider verifying the package integrity or using a lockfile to ensure reproducible builds.
| # Log the output for debugging | ||
| echo "Continue CLI output:" | ||
| cat inline_review.json |
There was a problem hiding this comment.
The command cat inline_review_prompt.txt | cn --readonly --format json --org continuedev --config continuedev/review-bot -p could be simplified to cn --readonly --format json --org continuedev --config continuedev/review-bot -p < inline_review_prompt.txt to avoid unnecessary use of cat (UUOC).
| fi | ||
| env: | ||
| CONTINUE_API_KEY: ${{ secrets.CONTINUE_API_KEY }} | ||
|
|
There was a problem hiding this comment.
Good error handling here with JSON validation fallback. This prevents the workflow from failing if the CLI produces invalid output.
| const fallbackBody = `## AI Code Review\n\n${reviewData.review_summary}\n\n` + | ||
| `*Failed to post ${comments.length} inline comments. Please review the changes manually.*`; | ||
| await github.rest.issues.createComment({ |
There was a problem hiding this comment.
Excellent fallback mechanism to post as a regular comment if inline review creation fails. This ensures the review feedback is not lost.
| uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 | ||
| with: | ||
| fetch-depth: 0 # Fetch full history for better context | ||
|
|
There was a problem hiding this comment.
Good security practice using SHA pinning here. Consider documenting the process for updating these SHAs in your contribution guidelines.
Code Review Summary✅ Strengths
|
There was a problem hiding this comment.
cubic analysis
3 issues found across 3 files • Review in cubic
React with 👍 or 👎 to teach cubic. You can also tag @cubic-dev-ai to give feedback, ask questions, or re-run the review.
| # Only run if: | ||
| # - It's a PR event from a team member (with write/admin permissions) | ||
| # - OR it's a comment with @continue-detailed-review on a PR from a team member | ||
| if: > |
There was a problem hiding this comment.
Duplicated logic in if condition across workflows. The check for author_association is repeated in both continue-detailed-review.yaml and continue-general-review.yaml. This violates the DRY (Don't Repeat Yourself) principle, making the workflows harder to maintain. If the criteria for who can run a review changes, it must be updated in multiple places, increasing the risk of inconsistency. This shared logic should be centralized using GitHub Actions reusable workflows.
Prompt for AI agents
Address the following comment on .github/workflows/continue-detailed-review.yaml at line 22:
<comment>Duplicated logic in `if` condition across workflows. The check for `author_association` is repeated in both `continue-detailed-review.yaml` and `continue-general-review.yaml`. This violates the DRY (Don't Repeat Yourself) principle, making the workflows harder to maintain. If the criteria for who can run a review changes, it must be updated in multiple places, increasing the risk of inconsistency. This shared logic should be centralized using GitHub Actions reusable workflows.</comment>
<file context>
@@ -0,0 +1,281 @@
+name: Continue Detailed Review
+
+on:
+ pull_request:
+ types: [opened, ready_for_review]
+ issue_comment:
+ types: [created]
+
+permissions:
</file context>
|
|
||
| on: | ||
| pull_request: | ||
| types: [opened, ready_for_review] |
There was a problem hiding this comment.
Workflow misses the 'synchronize' trigger, so it won’t run automatically on new commits pushed to an open PR. Add 'synchronize' to ensure reviews update when code changes.
Prompt for AI agents
Address the following comment on .github/workflows/continue-detailed-review.yaml at line 5:
<comment>Workflow misses the 'synchronize' trigger, so it won’t run automatically on new commits pushed to an open PR. Add 'synchronize' to ensure reviews update when code changes.</comment>
<file context>
@@ -0,0 +1,281 @@
+name: Continue Detailed Review
+
+on:
+ pull_request:
+ types: [opened, ready_for_review]
+ issue_comment:
+ types: [created]
</file context>
| fetch-depth: 0 # Fetch full history for better context | ||
|
|
||
| - name: Setup Node.js | ||
| uses: actions/setup-node@v4 |
There was a problem hiding this comment.
Action is not pinned to a full commit SHA, which poses a supply-chain risk. Pin actions/setup-node to a specific commit SHA for reproducible and secure builds.
Prompt for AI agents
Address the following comment on .github/workflows/continue-detailed-review.yaml at line 41:
<comment>Action is not pinned to a full commit SHA, which poses a supply-chain risk. Pin actions/setup-node to a specific commit SHA for reproducible and secure builds.</comment>
<file context>
@@ -0,0 +1,281 @@
+name: Continue Detailed Review
+
+on:
+ pull_request:
+ types: [opened, ready_for_review]
+ issue_comment:
+ types: [created]
+
+permissions:
</file context>
Code Review Summary✅ Strengths
|
AI Code ReviewThis PR adds a new detailed code review workflow that provides inline comments on specific lines of code. The implementation is well-structured and follows GitHub Actions best practices. However, there are several areas for improvement including error handling, security considerations, and code maintainability. Failed to post 6 inline comments. Please review the changes manually. |
This comment was marked as resolved.
This comment was marked as resolved.
Sorry, something went wrong.
Code Review Summary✅ Strengths
|
There was a problem hiding this comment.
This PR adds a new detailed code review workflow that provides inline comments on specific lines of code. The implementation is well-structured with proper error handling and fallback mechanisms. However, there are several security and reliability improvements that should be considered.
| node-version: 20 | ||
|
|
||
| - name: Install Continue CLI | ||
| run: npm install -g @continuedev/cli@1.4.25 |
There was a problem hiding this comment.
Consider pinning the @continuedev/cli package to a specific SHA hash instead of just a version number for better supply chain security. Example: npm install -g @continuedev/cli@sha256:...
| echo "===== END REVIEW PROMPT =====" | ||
| # Run the CLI and capture JSON output | ||
| cat inline_review_prompt.txt | cn --readonly --format json --org continuedev --config continuedev/review-bot -p > inline_review_raw.json |
There was a problem hiding this comment.
Security concern: Piping untrusted PR content directly to the CLI could be risky. Consider sanitizing or validating the diff content before passing it to the Continue CLI to prevent potential command injection.
| cat inline_review.json | ||
| fi | ||
| env: | ||
| CONTINUE_API_KEY: ${{ secrets.CONTINUE_API_KEY }} |
There was a problem hiding this comment.
The CONTINUE_API_KEY secret is exposed to the Continue CLI process. Ensure this key has minimal required permissions and consider using short-lived tokens if possible.
| comment.position && | ||
| comment.path && | ||
| comment.body && | ||
| typeof comment.position === 'number' && |
There was a problem hiding this comment.
Good validation logic here, but consider also checking for reasonable position values (e.g., position <= total lines in diff) to prevent API errors.
| pos++ | ||
| printf "[POS:%d] %s\n", pos, $0 | ||
| } | ||
| ' pr_diff.txt > pr_diff_annotated.txt |
There was a problem hiding this comment.
The AWK script for position annotation is clever but could fail on edge cases. Consider adding error handling or using a more robust parsing approach for complex diffs.
| cat inline_review_raw.json | ||
| # Validate JSON output | ||
| if ! jq empty inline_review_raw.json 2>/dev/null; then |
There was a problem hiding this comment.
Good error handling with JSON validation. Consider also checking the size of the output to prevent issues with extremely large reviews.
| detailed-code-review: | ||
| name: Continue Detailed Review | ||
| runs-on: ubuntu-latest | ||
| timeout-minutes: 10 |
There was a problem hiding this comment.
The 10-minute timeout might be insufficient for large PRs. Consider making this configurable or dynamic based on PR size.
| - Use the exact number from [POS:N] markers as the position | ||
| - Only comment on changed lines (lines with + or - prefix) | ||
| - Comment on the most important issues first | ||
| - Limit to maximum 20 most relevant comments |
There was a problem hiding this comment.
The 20 comment limit is hardcoded. Consider making this configurable via workflow inputs or environment variables for flexibility.
|
|
||
| - name: Upload Review Artifacts | ||
| uses: actions/upload-artifact@v4 | ||
| if: always() |
There was a problem hiding this comment.
The 'if: always()' condition means artifacts are uploaded even on workflow cancellation. Consider using 'if: success() || failure()' instead.
| jobs: | ||
| code-review: | ||
| name: AI Code Review | ||
| general-code-review: |
There was a problem hiding this comment.
Good practice pinning the checkout action to a specific commit SHA for security.
There was a problem hiding this comment.
cubic analysis
2 issues found across 3 files • Review in cubic
React with 👍 or 👎 to teach cubic. You can also tag @cubic-dev-ai to give feedback, ask questions, or re-run the review.
| @@ -0,0 +1,310 @@ | |||
| name: Continue Detailed Review | |||
There was a problem hiding this comment.
The introduction of the new continue-detailed-review.yaml workflow duplicates a significant amount of configuration and setup steps from the existing continue-general-review.yaml file, such as repository checkout, Node.js setup, and Continue CLI installation. This violates the DRY (Don't Repeat Yourself) principle at the CI/CD architecture level. Maintaining two nearly identical workflows increases maintenance overhead and the risk of inconsistencies. Future changes to the setup will need to be applied in both places. A better architectural approach would be to use GitHub Actions' reusable workflows or composite actions to abstract and share these common steps.
Prompt for AI agents
Address the following comment on .github/workflows/continue-detailed-review.yaml at line 1:
<comment>The introduction of the new `continue-detailed-review.yaml` workflow duplicates a significant amount of configuration and setup steps from the existing `continue-general-review.yaml` file, such as repository checkout, Node.js setup, and Continue CLI installation. This violates the DRY (Don't Repeat Yourself) principle at the CI/CD architecture level. Maintaining two nearly identical workflows increases maintenance overhead and the risk of inconsistencies. Future changes to the setup will need to be applied in both places. A better architectural approach would be to use GitHub Actions' reusable workflows or composite actions to abstract and share these common steps.</comment>
<file context>
@@ -0,0 +1,310 @@
+name: Continue Detailed Review
+
+on:
</file context>
| # Annotate diff with position numbers for easy reference | ||
| awk ' | ||
| /^@@/ { | ||
| pos = 0 |
There was a problem hiding this comment.
The [POS:N] annotation resets at each @@ hunk, but GitHub review API requires per-file absolute positions within the file patch; using these hunk-local positions will misalign comments and often cause createReview to fail.
Prompt for AI agents
Address the following comment on .github/workflows/continue-detailed-review.yaml at line 67:
<comment>The [POS:N] annotation resets at each @@ hunk, but GitHub review API requires per-file absolute positions within the file patch; using these hunk-local positions will misalign comments and often cause createReview to fail.</comment>
<file context>
@@ -0,0 +1,310 @@
+name: Continue Detailed Review
+
+on:
+ pull_request:
+ types: [opened, ready_for_review]
+ issue_comment:
+ types: [created]
+
+permissions:
</file context>
|
|
||
| - **Team members only**: AI review runs automatically when PR is opened or marked ready for review | ||
| - Team members can also trigger a review by commenting `@continue-review` | ||
| - Team members can also trigger a review by commenting `@continue-general-review` or `@continue-detailed-review` |
| [POS:1] console.log("context"); | ||
| [POS:2] - const old = "remove this"; | ||
| [POS:3] + const new = "add this"; | ||
| [POS:4] + const risky = eval(userInput); <-- To comment here, use position: 4 | ||
| [POS:5] return result; | ||
| [POS:6] + console.log("done"); | ||
| @@ -20,3 +22,4 @@ function another() { | ||
| [POS:1] let x = 1; | ||
| [POS:2] + let y = 2; <-- To comment here, use position: 2 |
There was a problem hiding this comment.
Great work digging deep on this
|
🎉 This PR is included in version 1.5.0 🎉 The release is available on: Your semantic-release bot 📦🚀 |
|
🎉 This PR is included in version 1.7.0 🎉 The release is available on: Your semantic-release bot 📦🚀 |
Description
[ What changed? Feel free to be brief. ]
Checklist
Screen recording or screenshot
[ When applicable, please include a short screen recording or screenshot - this makes it much easier for us as contributors to review and understand your changes. See this PR as a good example. ]
Tests
[ What tests were added or updated to ensure the changes work as expected? ]
Summary by cubic
Added automated code review workflows that run on pull requests and allow team members to trigger reviews by comment.