Skip to main content

Automated Review Workflows

In one line: Every pull request runs three review layers — deterministic CI gates, an automated bot review, and reviewer-agent dispatch — so review is a shipped workflow, not a habit.

Do this: Before opening a PR, run the local bot pass (/code-review over your diff) and resolve its findings; let the deterministic gates and the change-matched reviewer agents run on the PR; disposition every finding from every layer as fixed, acknowledged, or disputed.

The three layers, and which one is enforced:

  • Deterministic CI gates — ENFORCED. Lint, format, test, and coverage run on every PR and locally on every push. These are the always-on core: a regression here blocks the merge. Mechanism: the gates job in the shipped templates/workflows/pr-review.yml, equalled locally by the templates/hooks/pre-push-gate.sh hook (Layer 3, §7.1).
  • Automated LLM bot-review — recommended (not yet enforced) unless configured. A bot reads the diff and posts findings. Mechanism (local): the /code-review skill, run before opening the PR, backed by skill:s4u-code-review. Mechanism (CI): the ai-review job in pr-review.yml — this job is credential-gated on an ANTHROPIC_API_KEY secret and short-circuits cleanly when the secret is absent, so it is inert (recommended, not enforced) until a project configures the key.
  • Reviewer-agent dispatch — domain checks. The four reviewer agents (API, security, migration, compliance; §5.3) auto-selected by change type, producing structured severity / location / issue / fix findings. Mechanism: the change-type → reviewer table in §7.3, driven off the reviewer definitions in templates/agents/.

These layers feed the same review discipline, not a separate one. Each layer's output enters the two-stage review norm — Stage 1 spec compliance, then Stage 2 code quality (§3.3) — and every finding from every layer lands in exactly one of the three dispositions (fixed / acknowledged with a tracking issue / disputed with technical reasoning); none is silently ignored.

Evidence: The deterministic half is reproducible — push a lint or coverage regression and watch the gates job and the pre-push hook reject it with identical commands. The bot half is honest about its gating: pr-review.yml's ai-review job runs nothing it cannot run (no key → no review, no false-green). See Section 5.3 for the reviewer definitions and skill:s4u-code-review for the local bot-pass procedure.