Continuous ai review bot

[tomasz-stefaniak]

Description

The bot is triggered when the PR opens or when a draft PR is converted to a regular PR.

Checklist

• [] I've read the contributing guide
• [] The relevant docs, if any, have been updated or created
• [] The relevant tests, if any, have been updated or created

Screen recording or screenshot

[ When applicable, please include a short screen recording or screenshot - this makes it much easier for us as contributors to review and understand your changes. See this PR as a good example. ]

Tests

[ What tests were added or updated to ensure the changes work as expected? ]

---

Summary by cubic

Added a GitHub Actions workflow to automatically run the Continue CLI for code review on pull requests and pushes to main.

• New Features
• Installs and runs the Continue CLI with a hardcoded prompt to review code quality.
• Uses the CONTINUE_API_KEY secret for authentication.

[github-actions]

⚠️ PR Title Format

Your PR title doesn't follow the conventional commit format, but this won't block your PR from being merged. We recommend using this format for better project organization.

Expected Format:

<type>[optional scope]: <description>

Examples:

• feat: add changelog generation support
• fix: resolve login redirect issue
• docs: update README with new instructions
• chore: update dependencies

Valid Types:

feat, fix, docs, style, refactor, perf, test, build, ci, chore, revert

This helps with:

• 📝 Automatic changelog generation
• 🚀 Automated semantic versioning
• 📊 Better project history tracking

This is a non-blocking warning - your PR can still be merged without fixing this.

[cubic-dev-ai]

cubic analysis

1 issue found across 1 file • Review in cubic

_{React with 👍 or 👎 to teach cubic. You can also tag @cubic-dev-ai to give feedback, ask questions, or re-run the review.}

[cubic-dev-ai]

Referencing a required secret in a pull-request workflow without a fallback or conditional guard will make the job fail for contributions from forks.

Prompt for AI agents

Address the following comment on .github/workflows/cli-review.yaml at line 36:

<comment>Referencing a required secret in a pull-request workflow without a fallback or conditional guard will make the job fail for contributions from forks.</comment>

<file context>
@@ -0,0 +1,36 @@
+name: CLI Review
+
+on:
+  pull_request:
+    branches:
+      - main
+
+  push:
+    branches:
</file context>

[github-actions]

Code Review Summary

✅ Strengths

• Clear structure: Well-organized workflow with logical step progression and clear naming conventions
• Comprehensive security: Proper permissions scope (read-only contents, write for PR comments)
• Good error handling: Uses conditional checks, artifact uploads, and try-catch blocks for robustness
• Artifact management: Properly uploads review results with appropriate retention policy
• Comment management: Smart logic to update existing bot comments instead of creating duplicates
• Environment isolation: Uses proper environment variable handling for secrets

⚠️ Issues Found

HIGH SEVERITY:

• Hardcoded CLI version: Line 28 pins to a specific version @continuedev/[email protected] which will become outdated and may introduce compatibility issues
• Missing error handling: The gh pr diff command (line 34) and Continue CLI execution (line 88) lack proper error handling if they fail

MEDIUM SEVERITY:

• Workflow trigger scope: Triggers on pull_request.opened and ready_for_review but misses subsequent pushes to PR branches, meaning code changes won't trigger re-reviews
• Resource usage: fetch-depth: 0 fetches entire git history which may be unnecessary for PR diffs and could impact performance
• Inconsistent condition: The workflow only runs when github.event.pull_request.draft == false but doesn't check this in the trigger conditions

LOW SEVERITY:

• Magic strings: Bot signature <!-- continue-cli-review --> could be defined as a constant
• Hardcoded organization: Uses continuedev org and review-bot config without making them configurable

💡 Suggestions

1. Make CLI version configurable: Use a workflow input or environment variable for the CLI version instead of hardcoding
2. Add comprehensive triggers: Include synchronize event to re-review when PR is updated:

   on:
     pull_request:
       types: [opened, ready_for_review, synchronize]

3. Add error handling: Wrap critical commands in conditional checks:

   if ! gh pr diff ${{ github.event.number }} > pr_diff.txt; then
     echo "Failed to get PR diff" && exit 1
   fi

4. Optimize git fetch: Use fetch-depth: 1 unless full history is specifically needed
5. Add workflow inputs: Make organization and config configurable for reusability
6. Consider rate limiting: Add logic to prevent excessive API calls for rapid PR updates

🚀 Overall Assessment

COMMENT - The workflow is well-structured and functional but has several areas for improvement, particularly around error handling and version management. The security implementation is solid, and the overall approach is sound. The issues found are not critical enough to block deployment but should be addressed to ensure long-term maintainability and reliability.

[cubic-dev-ai]

cubic analysis

2 issues found across 2 files • Review in cubic

_{React with 👍 or 👎 to teach cubic. You can also tag @cubic-dev-ai to give feedback, ask questions, or re-run the review.}

[cubic-dev-ai]

This workflow duplicates the existing continue-review workflow, causing redundant CI runs and potential duplicate PR comments.

Prompt for AI agents

Address the following comment on .github/workflows/cli-review.yaml at line 1:

<comment>This workflow duplicates the existing continue-review workflow, causing redundant CI runs and potential duplicate PR comments.</comment>

<file context>
@@ -0,0 +1,36 @@
+name: CLI Review
+
+on:
</file context>

[cubic-dev-ai]

Running the CLI in interactive mode will block the workflow because no TTY is available in GitHub Actions.

Prompt for AI agents

Address the following comment on .github/workflows/cli-review.yaml at line 34:

<comment>Running the CLI in interactive mode will block the workflow because no TTY is available in GitHub Actions.</comment>

<file context>
@@ -0,0 +1,36 @@
+name: CLI Review
+
+on:
+  pull_request:
+    branches:
+      - main
+
+  push:
+    branches:
</file context>

[cubic-dev-ai]

cubic analysis

3 issues found across 2 files • Review in cubic

_{React with 👍 or 👎 to teach cubic. You can also tag @cubic-dev-ai to give feedback, ask questions, or re-run the review.}

[cubic-dev-ai]

Workflow omits an explicit permissions: section, so it runs with the default broad permissions instead of the minimal set required.

Prompt for AI agents

Address the following comment on .github/workflows/cli-review.yaml at line 12:

<comment>Workflow omits an explicit `permissions:` section, so it runs with the default broad permissions instead of the minimal set required.</comment>

<file context>
@@ -0,0 +1,36 @@
+name: CLI Review
+
+on:
+  pull_request:
+    branches:
+      - main
+
+  push:
+    branches:
</file context>

[cubic-dev-ai]

Action version is not pinned to an immutable reference, which can allow unexpected or malicious changes to be introduced if the tag is retagged.

Prompt for AI agents

Address the following comment on .github/workflows/cli-review.yaml at line 18:

<comment>Action version is not pinned to an immutable reference, which can allow unexpected or malicious changes to be introduced if the tag is retagged.</comment>

<file context>
@@ -0,0 +1,36 @@
+name: CLI Review
+
+on:
+  pull_request:
+    branches:
+      - main
+
+  push:
+    branches:
</file context>

[cubic-dev-ai]

Workflow is not re-run when new commits are pushed, so the AI review comment can fall out-of-date.

Prompt for AI agents

Address the following comment on .github/workflows/continue-review.yaml at line 5:

<comment>Workflow is not re-run when new commits are pushed, so the AI review comment can fall out-of-date.</comment>

<file context>
@@ -0,0 +1,164 @@
+name: Continue CLI Code Review
+
+on:
+  pull_request:
+    types: [opened, ready_for_review]
+
+permissions:
</file context>

[bdougie]

In my experience. Only "ready to review" is great to limit credit spend, but I don't think contributors will start with a draft. So makes sense to have this as opened, but probably makes sense"ready to review" unnecessary

[github-actions]

Code Review Summary

✅ Strengths

• Clear structure: Well-organized workflow with logical step progression
• Comprehensive permissions: Appropriate read/write permissions for PR operations
• Error handling: Includes fallback handling for empty review output
• Artifact preservation: Uploads review results for debugging and auditing
• Security awareness: Uses hardcoded organization/config to prevent arbitrary execution
• Conditional execution: Properly skips draft PRs
• Timeout protection: 10-minute timeout prevents runaway jobs
• Comment management: Creates new comments rather than editing existing ones

⚠️ Issues Found

• Medium: Hardcoded CLI version (@continuedev/[email protected]) will become outdated and may cause compatibility issues
• Medium: Missing error handling for CLI command failures - if cn command fails, the workflow continues silently
• Low: No validation that required secret CONTINUE_API_KEY is configured before running
• Low: Git diff retrieval uses gh pr diff but doesn't verify GitHub CLI is available
• Low: Large prompt construction could hit shell command length limits for very large PRs

💡 Suggestions

• Use latest CLI version: Consider using @continuedev/cli@latest or pin to a more recent stable version
• Add error handling: Wrap the Continue CLI execution in error checking:

  - name: Run Continue CLI Review
    run: |
      if ! cat review_prompt.txt | cn --auto --org continuedev --config continuedev/review-bot -p > code_review.md; then
        echo "⚠️ Continue CLI execution failed" > code_review.md
        exit 1
      fi

• Add secret validation: Check for required secrets early in the workflow
• Consider rate limiting: Add logic to skip reviews for very large PRs (>1000 lines) to avoid resource exhaustion
• Add workflow dispatch: Allow manual triggering for testing purposes
• Improve logging: Add debug output to show CLI version and configuration being used

🚀 Overall Assessment

COMMENT - This is a well-structured GitHub workflow that appropriately integrates Continue CLI for automated code reviews. The workflow follows GitHub Actions best practices and includes proper error handling for the comment posting. While there are some areas for improvement around version management and error handling, the current implementation is functional and secure. The hardcoded organization/config approach is actually a security benefit that prevents malicious usage.

The workflow fits well within the existing CI/CD ecosystem and doesn't conflict with existing PR checks. It adds value without being disruptive to the development process.

[cubic-dev-ai]

cubic analysis

1 issue found across 1 file • Review in cubic

_{React with 👍 or 👎 to teach cubic. You can also tag @cubic-dev-ai to give feedback, ask questions, or re-run the review.}

[cubic-dev-ai]

This step assumes review_prompt.txt exists, but it is skipped for draft PRs, so the job will crash for every draft pull request.

Prompt for AI agents

Address the following comment on .github/workflows/continue-review.yaml at line 91:

<comment>This step assumes review_prompt.txt exists, but it is skipped for draft PRs, so the job will crash for every draft pull request.</comment>

<file context>
@@ -0,0 +1,137 @@
+name: Continue CLI Code Review
+
+on:
+  pull_request:
+    types: [opened, ready_for_review]
+
+permissions:
+  contents: read
+  pull-requests: write
</file context>

[tomasz-stefaniak]

@continue-review please review

[github-actions]

Code Review Summary

✅ Strengths

• Clear Documentation: The PR template now clearly explains the AI review feature to users, setting proper expectations about when reviews run
• Proper Permissions: The workflow correctly sets minimal required permissions (contents: read, pull-requests: write, issues: write)
• Team Member Restriction: Good security practice by restricting automated reviews to team members only (OWNER, MEMBER, COLLABORATOR)
• Dual Triggering: Smart implementation allowing both automatic triggers on PR events and manual triggers via comments
• Artifact Retention: Proper artifact uploading with reasonable 30-day retention for debugging
• Error Handling: The GitHub script includes try-catch blocks and graceful error handling
• Timeout Protection: 10-minute timeout prevents runaway jobs

⚠️ Issues Found

• Critical - Hardcoded CLI Version: Line 45 installs a specific version @continuedev/[email protected] which will become outdated and may cause compatibility issues (Medium severity)
• Critical - Missing Secret Validation: The workflow uses CONTINUE_API_KEY secret without validating its existence, which could cause silent failures (Medium severity)
• Missing Error Context: The workflow doesn't capture or expose CLI execution errors, making debugging difficult (Low severity)
• Resource Efficiency: Always uploading artifacts even on failures could waste storage (Low severity)
• Branch Context Missing: The workflow doesn't consider target branch context which might be important for review quality

💡 Suggestions

1. Use Latest CLI Version: Replace hardcoded version with @continuedev/cli@latest or use a version matrix/variable that's easier to maintain
2. Add Secret Validation: Add a step to validate CONTINUE_API_KEY exists and fail fast with clear error message if missing
3. Improve Error Handling: Capture CLI stderr/stdout and include in artifacts or comments for better debugging
4. Conditional Artifacts: Only upload artifacts on failure or when explicitly needed to reduce storage costs
5. Add Branch Context: Consider including target branch information in the review prompt for better context
6. Rate Limiting: Consider adding rate limiting to prevent abuse of the manual trigger feature
7. Review Size Limits: Add checks for PR diff size to avoid processing extremely large changes that might hit API limits

🚀 Overall Assessment

COMMENT - The implementation is solid with good security practices and clear user documentation. However, the hardcoded CLI version and missing secret validation are operational concerns that should be addressed before merging. The feature adds valuable functionality to the development workflow while maintaining appropriate access controls.

The workflow follows GitHub Actions best practices and integrates well with the existing CI/CD infrastructure. Once the version pinning and error handling improvements are made, this will be a robust addition to the codebase.

[cubic-dev-ai]

cubic analysis

2 issues found across 2 files • Review in cubic

_{React with 👍 or 👎 to teach cubic. You can also tag @cubic-dev-ai to give feedback, ask questions, or re-run the review.}

[cubic-dev-ai]

External actions are referenced only by version tags (e.g., actions/checkout@v4) instead of immutable commit SHAs. Tag drift can introduce unreviewed changes or malicious code into your workflow and is discouraged by GitHub’s security guidelines.

(Based on your team's feedback about pinning third-party GitHub Actions to commit SHAs for supply-chain security.)

Prompt for AI agents

Address the following comment on .github/workflows/continue-review.yaml at line 36:

<comment>External actions are referenced only by version tags (e.g., `actions/checkout@v4`) instead of immutable commit SHAs. Tag drift can introduce unreviewed changes or malicious code into your workflow and is discouraged by GitHub’s security guidelines.

(Based on your team&#39;s feedback about pinning third-party GitHub Actions to commit SHAs for supply-chain security.)</comment>

<file context>
@@ -0,0 +1,172 @@
+name: Continue CLI Code Review
+
+on:
+  pull_request:
+    types: [opened, ready_for_review]
+  issue_comment:
+    types: [created]
+
+permissions:
</file context>

[cubic-dev-ai]

Using the literal block indicator | preserves the newline characters, so the if expression is passed to the runner with embedded new-lines. GitHub Actions fails to parse multi-line if expressions containing newlines, causing the job to be skipped or to error. Use the folded style (>) so the expression is evaluated as a single line.

Prompt for AI agents

Address the following comment on .github/workflows/continue-review.yaml at line 22:

<comment>Using the literal block indicator `|` preserves the newline characters, so the `if` expression is passed to the runner with embedded new-lines. GitHub Actions fails to parse multi-line `if` expressions containing newlines, causing the job to be skipped or to error. Use the folded style (`&gt;`) so the expression is evaluated as a single line.</comment>

<file context>
@@ -0,0 +1,172 @@
+name: Continue CLI Code Review
+
+on:
+  pull_request:
+    types: [opened, ready_for_review]
+  issue_comment:
+    types: [created]
+
+permissions:
</file context>

[github-actions]

Code Review Summary

✅ Strengths

• Clear Documentation: Well-documented workflow with clear steps and comments explaining the purpose
• Security-Conscious Design: Proper permission restrictions to team members only (OWNER, MEMBER, COLLABORATOR)
• Dual Trigger Support: Supports both automatic triggering on PR events and manual triggering via comments
• Comprehensive Error Handling: Includes fallback messages and error logging
• Artifact Preservation: Uploads review artifacts for debugging and audit purposes
• Professional Template: Uses a structured markdown template for consistent review format

⚠️ Issues Found

High

• Hardcoded CLI Version: The workflow installs a specific version of Continue CLI (@continuedev/[email protected]) which will become outdated and may cause compatibility issues or miss important updates
• Unvalidated Secret Dependency: The workflow depends on CONTINUE_API_KEY secret but there's no validation that it exists or is properly configured

Medium

• Missing Timeout on CLI Execution: The Continue CLI execution has no timeout, which could cause the workflow to hang indefinitely if the CLI becomes unresponsive
• No Error Handling for CLI Failures: If the Continue CLI command fails, the workflow will still attempt to post results, potentially posting empty or error content
• Large Diff Handling: No size limits on PR diffs - very large PRs could cause performance issues or API limits

Low

• Artifact Retention: 30-day retention for artifacts may be excessive for CI workflows, increasing storage costs
• Missing Version Pin for Actions: Some actions like upload-artifact@v4 could benefit from SHA pinning for better security

💡 Suggestions

• Dynamic CLI Version: Consider using @continuedev/cli@latest or parameterize the version to make updates easier
• Add CLI Timeout: Implement a reasonable timeout (e.g., 5 minutes) for the CLI execution step
• Improve Error Handling: Add error detection for CLI failures and provide more informative error messages
• Add Diff Size Validation: Consider adding a check to skip very large diffs or warn about them
• Environment Validation: Add a step to validate that required secrets are configured

🚀 Overall Assessment

COMMENT - The workflow is well-structured and implements good security practices, but needs improvements in error handling and version management before merging. The hardcoded CLI version and lack of timeout handling are the primary concerns that should be addressed.

[cubic-dev-ai]

cubic analysis

No issues found across 2 files. Review in cubic

[Patrick-Erichsen]

Do we want to pin to this CLI version?

[tomasz-stefaniak]

Yeah, that's by design. I think we should pretty much always do this when using a dependency with ad-hoc npm install. Otherwise, we may end up using a version with a breaking change, or even a version with a security issue.

[Patrick-Erichsen]

My hunch is that this will get annoying with it following the exact structure even when unnecessary. Might be helpful to add a comment like "You do not need to follow this exact structure, use it for inspiration while still keeping your review concise and focused."

[tomasz-stefaniak]

I made it more rigid on purpose - the odds are most people won't read this thoroughly but will skim it. The more consistent the structure, the easier it will be to find the exact data you need.

[Patrick-Erichsen]

Since we have the repo cloned, will the agent be following our rules in the .continue folder? If not, could we just cat them into the context window or something?

[tomasz-stefaniak]

I thought about this but we have a lot of different rules with different triggers, we'd have to either put all the rules in the context (noisy), or handle rule resolution for each file individually (complicated). I'm not against it but it feels out of the scope of this PR.

[tomasz-stefaniak]

@continue-review hello

[sestinj]

🎉 This PR is included in version 1.5.0 🎉

The release is available on:

• npm package (@latest dist-tag)
• GitHub release

Your semantic-release bot 📦🚀

[sestinj]

🎉 This PR is included in version 1.7.0 🎉

The release is available on:

• npm package (@latest dist-tag)
• GitHub release

Your semantic-release bot 📦🚀