This GitHub Action automatically runs AI-powered code reviews on pull requests using the UNC (Universal Code) tool. It provides intelligent feedback through inline comments on specific lines of code and generates comprehensive review summaries.
- AI-Powered Analysis: Uses advanced AI models to detect code issues
- Inline Comments: Posts feedback directly on problematic lines in the diff view
- Comprehensive Summaries: Generates detailed markdown reports with severity breakdown
- Multi-Commit Support: Automatically handles complex PR scenarios
- Smart File Matching: Accurately maps issues to the correct files
- Professional Formatting: Clean, organized output with severity indicators
- Add the workflow file to your repository at
.github/workflows/code-review.yml - Configure secrets in your repository settings
- Create a pull request to trigger the review
Create .github/workflows/code-review.yml in your repository with the following content:
name: AI Code Review
on:
pull_request:
types: [opened, synchronize, reopened]
jobs:
code-review:
runs-on: ubuntu-latest
permissions:
contents: read
pull-requests: write
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- uses: actions/setup-python@v4
with:
python-version: '3.11'
- name: Install UNC
run: pip install git+https://github.com/nikolliervin/code-unc.git
- name: Initialize UNC config
run: |
mkdir -p ~/.config/unc
cat > ~/.config/unc/config.yaml << 'EOF'
ai:
provider: "${{ secrets.AI_PROVIDER }}"
model: "${{ secrets.AI_MODEL }}"
temperature: 0.1
max_tokens: 4000
max_retries: 3
retry_delay: 1.0
timeout: 300
gemini_api_key: "${{ secrets.GEMINI_API_KEY }}"
openai_api_key: "${{ secrets.OPENAI_API_KEY }}"
output:
format: "json"
show_progress: false
show_metrics: true
show_suggestions: true
max_issues_display: 50
color_enabled: false
git:
default_source: "HEAD"
default_target: "main"
max_diff_size: 1000000
include_patterns: []
exclude_patterns: ["*.log", "*.tmp", "node_modules/*", ".git/*"]
binary_files: false
cache:
enabled: true
ttl_hours: 24
max_size_mb: 100
cleanup_interval_hours: 168
review:
default_focus: []
severity_threshold: "LOW"
max_files_per_review: 100
timeout_seconds: 300
EOF
- name: Prepare git
run: |
git config --global user.name "github-actions"
git config --global user.email "github-actions@github.com"
git branch -D pr-source 2>/dev/null || true
git branch -D pr-target 2>/dev/null || true
git branch pr-target ${{ github.event.pull_request.base.sha }}
git branch pr-source ${{ github.event.pull_request.head.sha }}
git checkout pr-source
# ... [rest of the workflow content from your file]Navigate to your repository → Settings → Secrets and variables → Actions and add the following secrets:
| Secret Name | Description | Example Value |
|---|---|---|
AI_PROVIDER |
AI service provider | gemini, openai, anthropic, or mistral |
AI_MODEL |
Specific AI model to use | gemini-1.5-pro, gpt-4, claude-3-sonnet, mistral-large-latest |
For Google Gemini:
| Secret Name | Description | How to Get |
|---|---|---|
GEMINI_API_KEY |
Google Gemini API key | Get API Key |
For OpenAI:
| Secret Name | Description | How to Get |
|---|---|---|
OPENAI_API_KEY |
OpenAI API key | OpenAI Platform |
For Anthropic:
| Secret Name | Description | How to Get |
|---|---|---|
ANTHROPIC_API_KEY |
Anthropic API key | Anthropic Console |
For Mistral:
| Secret Name | Description | How to Get |
|---|---|---|
MISTRAL_API_KEY |
Mistral API key | Mistral Platform |
- Go to your GitHub repository
- Click Settings (top menu)
- In the left sidebar, click Secrets and variables → Actions
- Click New repository secret
- Enter the secret name and value
- Click Add secret
For Google Gemini:
AI_PROVIDER = gemini
AI_MODEL = gemini-1.5-pro
GEMINI_API_KEY = AIzaSyC...your-actual-api-key...
For OpenAI:
AI_PROVIDER = openai
AI_MODEL = gpt-4
OPENAI_API_KEY = sk-proj-...your-actual-api-key...
For Anthropic:
AI_PROVIDER = anthropic
AI_MODEL = claude-3-sonnet-20240229
ANTHROPIC_API_KEY = sk-ant-...your-actual-api-key...
For Mistral:
AI_PROVIDER = mistral
AI_MODEL = mistral-large-latest
MISTRAL_API_KEY = ...your-actual-api-key...
The action automatically triggers on:
- New pull requests (
opened) - Pull request updates (
synchronize) - Reopened pull requests (
reopened)
The action posts comments directly on problematic lines:
🚨 CRITICAL: Hardcoded API secrets detected
This code contains hardcoded API keys which poses a severe security risk.
Secrets should be stored in environment variables or a secure secrets manager.
Suggestion: Move these to environment variables
Category: security
Generated by UNC AI Code Review
A comprehensive markdown summary is posted to the PR:
## AI Code Review Results
### Found 5 Issues
**Severity Breakdown:** 🚨 1 Critical • ⚠️ 2 High • 💡 2 Medium
### Issue Details
#### 🚨 CRITICAL: Production secrets exposed
**Location:** `src/config/database.js:15`
**Category:** security (95% confidence)
The database configuration contains hardcoded credentials...
### Review Statistics
- **Files Reviewed:** 3
- **Lines Added:** +142
- **Lines Deleted:** -28You can customize the AI behavior by modifying the config in the workflow:
ai:
provider: "gemini" # AI provider (gemini/openai/anthropic/mistral)
model: "gemini-1.5-pro" # Specific model
temperature: 0.1 # Response randomness (0.0-1.0)
max_tokens: 4000 # Maximum response length
timeout: 300 # Request timeout in secondsreview:
severity_threshold: "LOW" # Minimum severity to report (LOW/MEDIUM/HIGH/CRITICAL)
max_files_per_review: 100 # Maximum files to review per PR
timeout_seconds: 300 # Review timeoutgit:
include_patterns: ["*.js", "*.ts", "*.py"] # Only review these files
exclude_patterns: [ # Skip these files/patterns
"*.log",
"*.tmp",
"node_modules/*",
".git/*",
"dist/*",
"build/*"
]You can specify focus areas for more targeted reviews:
review:
default_focus: ["security", "performance", "bugs"]Available focus areas:
security- Security vulnerabilities and best practicesperformance- Performance optimizations and bottlenecksbugs- Potential bugs and logical errorsmaintainability- Code organization and readabilitytesting- Test coverage and quality
Customize which branches trigger reviews:
on:
pull_request:
types: [opened, synchronize, reopened]
branches: [main, develop] # Only for PRs to these branchesCause: File paths don't match between UNC output and GitHub PR
Solution: Check that file paths in your repository match the expected structure
Cause: Missing or incorrectly named secret
Solution: Verify secret names match exactly (case-sensitive)
Cause: Too many API requests to AI provider
Solution: Reduce max_files_per_review or increase retry_delay
Cause: Insufficient GitHub token permissions
Solution: Ensure workflow has pull-requests: write permission
To enable detailed logging for troubleshooting, add this to your workflow:
- name: Enable debug logging
run: echo "ACTIONS_STEP_DEBUG=true" >> $GITHUB_ENV- Go to the Actions tab in your repository
- Click on the failed workflow run
- Expand the "Run UNC and extract JSON" step
- Look for error messages and debug information
- Test with a small PR first
- Review and adjust severity threshold based on your team's needs
- Customize excluded file patterns for your project structure
- Use repository secrets (never commit API keys)
- Rotate API keys regularly
- Use separate keys for different environments
- Document the review process for your team
- Set expectations about automated vs manual reviews
- Use the action as a supplement to, not replacement for, human review
- Monitor AI provider usage and costs
- Adjust
max_files_per_reviewfor large repositories - Consider using different models for different file types
# Repository Secrets:
AI_PROVIDER=gemini
AI_MODEL=gemini-1.5-pro
GEMINI_API_KEY=your-api-key# Repository Secrets:
AI_PROVIDER=openai
AI_MODEL=gpt-4
OPENAI_API_KEY=your-api-key
# Workflow config adjustments:
temperature: 0.0 # More consistent results
max_files_per_review: 50 # Limit for large repos
severity_threshold: "MEDIUM" # Reduce noise# Focus on security issues only
review:
default_focus: ["security"]
severity_threshold: "HIGH"
# Exclude non-security relevant files
git:
exclude_patterns: [
"*.md", "*.txt", "*.json",
"test/*", "tests/*",
"docs/*"
]- Issues: GitHub Issues
- Documentation: UNC Documentation
- Discussions: GitHub Discussions
This workflow is provided as-is. Please review your AI provider's terms of service regarding automated code analysis.