AI-assisted code reviews are no longer just a nice-to-have ,they’re becoming a standard practice for ensuring readability, security, and performance without slowing down deployments.
In this guide, we’ll walk through setting up GitHub Actions for AI Code Review using YAML, from prerequisites to troubleshooting, so you can have AI check every pull request automatically.
Prerequisites
Before we dive into YAML, make sure you have:
- A GitHub repository (public or private)
- GitHub Actions enabled for the repo
- An OpenAI API key (or any other AI model API key)
- Basic understanding of GitHub Actions workflow syntax (YAML)
- A Prompt Library ready for the AI to use
If you haven’t yet built your prompt set, check our Prompt Library for Code Review - 30 Prompts for Readability, Security, Performance
Step 1: Creating the YAML File
GitHub Actions uses .yml files inside .github/workflows/.
We’ll create one called ai-code-review.yml.
Here’s a minimal YAML setup you can copy-paste into your repo:
name: AI Code Review
on:
pull_request:
branches:
- main
- develop
jobs:
ai_review:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v3
- name: Install dependencies
run: |
npm install axios
- name: Run AI Code Review
env:
OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }}
run: |
node <<'EOF'
const axios = require('axios');
const fs = require('fs');
// Load changed files (example: all JS files)
const files = fs.readdirSync('./').filter(f => f.endsWith('.js'));
const prompt = `
Perform a code review focusing on:
- Readability
- Security
- Performance
Files:
${files.join(', ')}
`;
axios.post('https://api.openai.com/v1/chat/completions', {
model: "gpt-4o",
messages: [{ role: "user", content: prompt }]
}, {
headers: {
"Authorization": `Bearer ${process.env.OPENAI_API_KEY}`,
"Content-Type": "application/json"
}
}).then(res => {
console.log(res.data.choices[0].message.content);
}).catch(err => console.error(err));
EOF
This script:
- Triggers on pull requests
- Reads the changed files
- Sends them to an AI model with your prompt checklist
- Logs the AI review to the build output
Step 2: Adding Secrets
Since we can’t hardcode API keys in YAML, store them in GitHub Secrets:
- Go to your repo → Settings → Secrets and variables → Actions
- Click New repository secret
- Name it
OPENAI_API_KEY - Paste your key and save
Step 3: Setting Permissions
In .github/workflows/ai-code-review.yml, make sure your job has read access to the code:
permissions:
contents: read
pull-requests: write
This ensures the AI can read PR changes and optionally post review comments back to the PR.
Step 4: Using Prompts Effectively
The power of AI review depends on the quality of prompts.
Use structured, specific prompts from our Code Review Prompt Library for:
- Readability checks (naming, formatting, comments)
- Security checks (input validation, secrets, authentication)
- Performance checks (loops, DB queries, caching)
Example inside your YAML:
const prompt = `
Review the following code for:
1. Readability
2. Security
3. Performance
Provide a numbered list of findings and suggested improvements.
Code:
${files.join(', ')}
`;
Step 5: Testing the Workflow
- Create a test branch
- Make a small code change (e.g., modify
index.js) - Open a pull request to
mainordevelop - Go to the Actions tab → Select AI Code Review → Check the logs
Step 6: Troubleshooting
Common Issues & Fixes:
- AI request fails → Check if
OPENAI_API_KEYis set correctly in repo secrets - Workflow not triggering → Ensure branch filters in
on.pull_request.branchesmatch your target branch - Empty file list → Adjust script to capture changes via
git diff --name-onlyinstead of reading dir - Rate limits → Use smaller file batches or a cheaper AI model
Next Steps
- Expand your prompt set with our Prompt Library for Code Review
- Experiment with posting AI feedback as PR comments for even smoother reviews
