Code Review Bot with Continue and GitHub Actions
Set up automated, context-aware pull request reviews using Continue CLI in GitHub Actions - privacy-first with custom rules
What You'll Build
An automated pull request review system that:
- Reviews code automatically when pull requests open or update
- Applies your team's custom rules and standards
- Runs in your GitHub Actions runner (code is sent directly to your configured LLM)
- Posts actionable feedback as pull request comments
- Responds to interactive review requests
Why This Approach?
Privacy-First
All logs and processing happen in your runner: Continue CLI runs in GitHub Actions â code to your LLM provider (OpenAI, Anthropic, etc.). No hosted Continue service reads your code.
Customizable
Define team-specific rules in
.continue/rules/ that automatically apply to every pull request.Context Awareness
Leverage Continue's AI agent for intelligent, context-aware reviews with full control over your configuration.
Prerequisites
Before starting, ensure you have:
- A GitHub repository with pull requests
- Continue account with Hub access
- Read: Understanding Configs
- A Continue API key from continue.dev/settings/api-keys
- Continue assistant configured for code reviews (or use our recommended default)
Want to customize the review bot?
You can remix the default review bot configuration at continue.dev/continuedev/review-bot to create your own personalized version with custom prompts, rules, and behaviors.
Quick Setup (10 Minutes)
1
Configure Repository Secrets and Variables
Navigate to your repository settings: Settings â Secrets and variables â Actions
Required Secrets:
CONTINUE_API_KEY- Your Continue API key from continue.dev/settings/api-keys
Optional (for better permissions):
- Variables tab:
APP_ID- GitHub App ID (for enhanced API rate limits) - Secrets tab:
APP_PRIVATE_KEY- GitHub App private key
2
Add Workflow File
Create a GitHub Actions workflow file at
.github/workflows/code-review.yml with the provided configuration.name: Continue Code Review
on:
pull_request:
types: [opened, synchronize, ready_for_review]
issue_comment:
types: [created]
permissions:
contents: read
pull-requests: write
issues: write
jobs:
review:
runs-on: ubuntu-latest
# Only run on PRs or when @review-bot is mentioned
if: |
github.event_name == 'pull_request' ||
(github.event_name == 'issue_comment' && contains(github.event.comment.body, '@review-bot'))
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0 # Full history for better context
# Optional: Use GitHub App token for better rate limits
- name: Generate App Token
id: app-token
if: vars.APP_ID != ''
uses: actions/create-github-app-token@v1
with:
app-id: ${{ vars.APP_ID }}
private-key: ${{ secrets.APP_PRIVATE_KEY }}
- name: Setup Node.js
uses: actions/setup-node@v4
with:
node-version: '20'
- name: Install Continue CLI
run: npm i -g @continuedev/cli
- name: Get Pull Request Details
id: pr
env:
GH_TOKEN: ${{ steps.app-token.outputs.token || github.token }}
run: |
# Get pull request number and details
if [ "${{ github.event_name }}" = "pull_request" ]; then
PR_NUMBER=${{ github.event.pull_request.number }}
else
PR_NUMBER=$(jq -r .issue.number "$GITHUB_EVENT_PATH")
fi
echo "pr_number=$PR_NUMBER" >> $GITHUB_OUTPUT
# Get pull request diff
gh pr diff $PR_NUMBER > pr.diff
# Get changed files
gh pr view $PR_NUMBER --json files -q '.files[].path' > changed_files.txt
- name: Run Continue Review
env:
CONTINUE_API_KEY: ${{ secrets.CONTINUE_API_KEY }}
GH_TOKEN: ${{ steps.app-token.outputs.token || github.token }}
run: |
# Check if custom rules exist
if [ -d ".continue/rules" ]; then
echo "đ Found custom rules in .continue/rules/"
RULES_CONTEXT="Apply the custom rules found in .continue/rules/ directory."
else
echo "âšī¸ No custom rules found. Using general best practices."
RULES_CONTEXT="Review for general best practices, security issues, and code quality."
fi
# Build review prompt
PROMPT="Review this pull request with the following context:
## Changed Files
$(cat changed_files.txt)
## Diff
\`\`\`diff
$(cat pr.diff)
\`\`\`
## Instructions
$RULES_CONTEXT
Provide:
1. A brief summary of changes
2. Key findings (potential issues, security concerns, suggestions)
3. Positive observations (good practices, improvements)
4. Specific actionable recommendations
Format as markdown suitable for a GitHub pull request comment."
# Run Continue CLI in headless mode
cn --config continuedev/review-bot \
-p "$PROMPT" \
--auto > review_output.md
- name: Post Review Comment
env:
GH_TOKEN: ${{ steps.app-token.outputs.token || github.token }}
run: |
# Add header
cat > review_comment.md <<'EOF'
## đ¤ AI Code Review
EOF
# Add review content
cat review_output.md >> review_comment.md
# Add footer
cat >> review_comment.md <<'EOF'
---
*Powered by [Continue](https://continue.dev) âĸ Need a focused review? Comment `@review-bot check for [specific concern]`*
EOF
# Check for existing review comment
EXISTING_COMMENT=$(gh pr view ${{ steps.pr.outputs.pr_number }} \
--json comments -q '.comments[] | select(.body | contains("đ¤ AI Code Review")) | .id' | head -1)
if [ -n "$EXISTING_COMMENT" ]; then
echo "Updating existing comment..."
gh api --method PATCH \
"repos/${{ github.repository }}/issues/comments/$EXISTING_COMMENT" \
-f body="$(cat review_comment.md)"
else
echo "Creating new comment..."
gh pr comment ${{ steps.pr.outputs.pr_number }} \
--body-file review_comment.md
fi
3
Create Custom Rules (Optional)
Define your team's standards in
.continue/rules/:Create
.continue/rules/security.md:---
globs: "**/*.{ts,tsx,js,jsx,py}"
description: "Security Review Standards"
alwaysApply: true
---
# Security Checklist
- No hardcoded credentials, API keys, or secrets
- All user inputs are validated and sanitized
- SQL queries use parameterization (no string concatenation)
- Authentication and authorization checks are in place
- Sensitive data is properly encrypted
- Error messages don't leak sensitive information
How It Works
The workflow follows these steps:
- Pull Request Created/Updated - A pull request is opened or synchronized
- Workflow Triggered - GitHub Actions workflow starts automatically
- Load Custom Rules - Reads your team's rules from
.continue/rules/ - Get Pull Request Diff - Fetches the diff and list of changed files
- Continue CLI Analyzes Code - AI agent reviews the code with your rules
- Post or Update Review Comment - Creates or updates a single PR comment with feedback
Interactive Commands
Comment on any pull request to trigger focused reviews:
@review-bot check for security issues
@review-bot review the TypeScript types
@review-bot explain the architecture changes
@review-bot focus on error handling
The workflow will respond with a targeted review based on your request.
Advanced Configuration
By default, the workflow uses the
continuedev/review-bot config optimized for code reviews. Replace continuedev/review-bot with your own config:- name: Run Continue Review
env:
CONTINUE_API_KEY: ${{ secrets.CONTINUE_API_KEY }}
CONTINUE_ORG: your-org-name # Add your org
CONTINUE_CONFIG: username/config-name # Add your config
run: |
cn --config $CONTINUE_ORG/$CONTINUE_CONFIG \
-p "$PROMPT" \
--auto > review_output.md
Store
CONTINUE_ORG and CONTINUE_CONFIG as repository variables for easy updates.Troubleshooting
Example Output
Here's what a typical review comment looks like:
đ¤ AI Code Review
Summary
This pull request introduces a new user authentication system with JWT tokens and password hashing. The implementation follows security best practices with a few minor suggestions.Key Findings
Security â
- Password hashing properly implemented with bcrypt
- JWT tokens include appropriate expiry
- Input validation present for all endpoints
Code Quality đĄ
- Consider adding rate limiting to login endpoint
- The
secretKeyshould be loaded from environment variables, not hardcoded- Add unit tests for token expiration edge cases
Positive Observations
- Good separation of concerns with middleware pattern
- Clear error messages for authentication failures
- Proper async/await usage throughout
Recommendations
- Move
secretKeyto environment variables (see.continue/rules/security.md)- Add rate limiting middleware to prevent brute force attacks
- Consider adding integration tests for the auth flow
- Document the JWT payload structure
Powered by Continue âĸ Need a focused review? Comment@review-bot check for security
What You've Built
After completing this setup, you have an AI-powered code review system that:
- â Runs automatically - Reviews every pull request without manual intervention
- â Privacy-first - CLI runs in your GitHub Actions runner, code sent directly to your configured LLM
- â Customizable - Team-specific rules apply automatically
- â Interactive - Responds to focused review requests
- â Continuous - Updates reviews as pull requests change
Continuous AI
Your pull request workflow now operates at Level 2 Continuous
AI -
AI handles routine code review with human oversight through review and
approval.
Next Steps
- Test it out - Create a test pull request and watch the review appear
- Refine rules - Add more custom rules specific to your codebase
- Customize prompts - Adjust the review prompt to match your team's style
- Add metrics - Track review effectiveness over time
- Create team config - Set up a shared Continue config for consistent reviews
Inspiration & Resources
CodeBunny
Original inspiration - Privacy-first AI code reviews
Continue CLI Guide
Learn more about Continue CLI capabilities
Continue Mission Control
Browse shared configs and create your own
Rules Documentation
Deep dive into custom rules
Community Examples
Share your pull request review bot configuration:
- Tweet your setup with
#ContinueDev - Share improvements as GitHub discussions
- Contribute example rules to the docs