This document defines how the AI-powered code review works in this repository.
Every Pull Request automatically triggers an AI review that checks:
- ✅ Correct
apiVersionfor each resource kind - ✅ Namespace consistency across related resources
- ✅ No hardcoded secrets or API keys
- ✅ Resource names follow kebab-case convention
- ✅ Required labels and annotations present
- ✅ Secret references use correct key names (e.g.
Authorizationfor agentgateway)
- ✅
AgentgatewayBackendusesagentgateway.dev/v1alpha1apiVersion - ✅ Model name is cost-effective (prefer
claude-3-haiku-*overclaude-sonnetorclaude-opus) - ✅ Auth policy uses
secretRef(not inline credentials) - ✅ Gateway name matches
parentRefsin HTTPRoute
- ✅
ModelConfigpoints to agentgateway (not directly to Anthropic API) - ✅
baseUrluses internal K8s service DNS (.svc.cluster.local) - ✅ API key references use Kubernetes Secret, not plain text
- ✅ Secrets accessed via
${{ secrets.* }}— never hardcoded - ✅ Workflow triggers are appropriate (not too broad)
- ✅ Steps have meaningful names
- 🔴 BLOCK: Any file containing
sk-ant-api03-(real Anthropic key) - 🔴 BLOCK: Secrets in
stringDatawith real values - 🟡 WARN: Missing resource limits in pod specs
- 🟡 WARN: Using
latestimage tag
The AI review posts a comment on the PR with this structure:
## 🤖 AI Code Review
### Summary
[Brief description of changes]
### Issues Found
| Severity | File | Line | Issue |
|----------|------|------|-------|
| 🔴 CRITICAL | k8s/secret.yaml | 8 | Real API key detected! |
| 🟡 WARNING | k8s/backend.yaml | 12 | Expensive model selected |
| 🟢 INFO | k8s/gateway.yaml | - | Consider adding resource limits |
### Recommendations
[Specific actionable suggestions]
### Verdict
✅ APPROVED / ⚠️ NEEDS CHANGES / 🔴 BLOCKED
Set the following GitHub repository secrets:
ANTHROPIC_API_KEY— your Anthropic API key for running reviews
Configure review sensitivity in .github/workflows/ai-review.yaml.