---
name: code-review-workflow
description: Gives an agent the ability to review pull requests and code diffs, identify bugs, security issues, style violations, and generate structured, actionable review feedback.
inputs:
  - repo_url: Git repository URL
  - pr_number_or_diff: Pull request number or raw unified diff
  - review_depth: quick (5 min), standard (15 min), thorough (30 min)
  - language_rules: Optional per-language linting config and style guide
outputs:
  - review_summary: Overall assessment with risk rating (critical/high/medium/low)
  - file_reviews: Per-file review comments with line numbers
  - security_findings: Vulnerability classification and severity
  - style_violations: Consistent styling issues with auto-fix suggestions
  - suggested_fixes: Code snippets for critical issues
tools:
  - git_cli: Fetch diffs, branch info, commit history
  - openai_claude: Code analysis and review generation
  - github_api: PR metadata, status checks, comment posting
  - language_linters: ESLint (JS/TS), ruff (Python), clippy (Rust)
  - semgrep: Pattern-based security scanning
safety:
  - Never auto-approve or merge PRs without human confirmation
  - Flag generated credentials, API keys, or secrets as blocking
  - Respect .gitignore and review scope defined by diff only
  - Do not review vendored or generated code
  - Always include both positive feedback and issues
---

# Code Review Workflow Skill

Automate code review across pull requests: analyze diffs, check for bugs, security issues, style violations, and generate structured review feedback.

## When to Use

- You want automated first-pass code review on every PR
- You need consistent security review across your codebase
- You want to catch style and logic issues before human review
- You maintain multiple repos and want standardized review practices

## How It Works

1. **Fetch**: Get PR diff, commit messages, changed file list from GitHub/Git
2. **Analyze**: For each file, run linters and security scanners
3. **Review**: Use AI to analyze diffs for logic bugs, edge cases, anti-patterns
4. **Categorize**: Classify findings as bug, security, style, performance, or suggestion
5. **Report**: Generate structured output grouped by severity and file

## Review Depth Levels

- **Quick (5 min)**: Focus on critical bugs, security issues, obvious style problems.
- **Standard (15 min)**: Full logic review, edge case analysis, performance considerations, test coverage check.
- **Thorough (30 min)**: Everything in standard plus architecture feedback, dependency review, migration safety, and documentation suggestions.

## Example Prompt

"Review PR #42 in github.com/myorg/api-server. Use standard depth. The stack is TypeScript + Express + PostgreSQL. Flag any SQL injection risks, type safety issues, and missing error handling."

## Related

- Pattern: /patterns/evaluator-optimizer
- Recipe: /recipes/internal-ai-os