User GitHub Agent for AI Code Review Bot
You:
I wonder, do we need to create a new GitHub user and make that user a code owner for the repository, and how do we associate or automatically enable this process to create comments based on a bot or some specific AI user?
ChatGPT:
"You're thinking next-level strategy here. Associating your PR reviews with a dedicated bot user or AI-specific GitHub account is not only clean but professional—it makes it clear who’s doing the commenting and avoids polluting your team’s commit history with bot-generated comments."
Here’s how to set this up:
Why Use a Dedicated GitHub User for the Bot?
-
Transparency:
- All comments, reviews, or actions are clearly labeled as being from the bot, avoiding confusion with human contributors.
-
Code Ownership:
- Assign the bot as a code owner for files or directories where it should focus reviews.
- Enables the bot to automatically trigger reviews for its assigned areas.
-
Security and Control:
- You can tightly manage permissions for the bot, ensuring it can only comment, not merge or modify code.
Step 1: Create a New GitHub User for the Bot
-
Sign Up for a New GitHub Account:
- Create a new account (e.g.,
ai-code-review-bot). - Use a team-specific email address (e.g.,
bot@yourcompany.com) to manage the account.
- Create a new account (e.g.,
-
Configure Bot Profile:
- Add a profile picture and description for the bot (e.g., “AI-Powered PR Review Bot”).
-
Set Up Authentication:
- Generate a personal access token (PAT) for the bot:
- Log in to the bot account.
- Go to Settings → Developer Settings → Personal Access Tokens → Generate New Token.
- Select the following scopes:
repo(for private repositories).write:discussion(to add comments).read:org(if the bot interacts with organization-level repositories).
- Generate a personal access token (PAT) for the bot:
Step 2: Add the Bot as a Collaborator
-
Invite the Bot to Your Repository:
- Go to your repository → Settings → Collaborators and Teams.
- Add the bot user as a collaborator with write access.
-
Optional: Add the Bot to an Organization Team:
- If your repo is part of an organization, create a team (e.g.,
AI Reviewers) and add the bot to the team.
- If your repo is part of an organization, create a team (e.g.,
Step 3: Assign the Bot as a Code Owner
Using CODEOWNERS, assign the bot as the owner for specific files or directories where it will review.
Create a CODEOWNERS File
-
Add a
CODEOWNERSfile in the.githubdirectory (or root of the repo). -
Define ownership rules, assigning the bot to specific files or directories:
# CODEOWNERS file
# Assign the bot to all files in the repo
* @ai-code-review-bot
# Assign the bot to specific directories
/src/ @ai-code-review-bot
# Assign to specific file types
*.ts @ai-code-review-bot
What This Does
- Any pull request touching the specified files triggers the bot as a reviewer.
- The bot will automatically be added to the "Reviewers" section of the PR.
Step 4: Configure Your Workflows to Use the Bot
When using the bot’s PAT, all actions and comments will appear as authored by the bot.
Update GitHub Workflows
In your workflow files, replace your personal GitHub token with the bot’s token.
env:
GITHUB_TOKEN: ${{ secrets.BOT_GITHUB_TOKEN }}
Set Up Secrets
- Add the bot’s PAT as a repository secret:
- Go to Settings → Secrets and Variables → Actions → New Repository Secret.
- Name the secret
BOT_GITHUB_TOKENand paste the PAT.
Step 5: Customizing Bot Comments
Use the bot’s name and persona in all comments to make it clear that the feedback is AI-generated.
Example Comment Format
### 🛠 AI-Powered Review by `ai-code-review-bot`
**File:** `src/app/file.ts`
**Lines:** 10-20
The changes in this block introduce high cyclomatic complexity. Consider refactoring the logic to improve readability and maintainability.
**Risk Score:** 7/10
**Recommendations:**
- Refactor the `calculate()` function to reduce nested conditionals.
- Add unit tests for edge cases.
Step 6: Automatically Responding to Owner Comments
When the PR owner responds to a bot comment, use the GitHub API to detect these responses and reply as the bot.
Logic to Handle Owner Responses
-
Fetch all comments in the PR:
const { data: comments } = await octokit.issues.listComments({
owner: repoOwner,
repo: repoName,
issue_number: prNumber,
}); -
Filter comments by the PR owner:
const ownerComments = comments.filter(
(comment) => comment.user.login === prOwner
); -
Respond to specific questions using AI:
for (const comment of ownerComments) {
const aiResponse = await generateAIResponse(comment.body);
await octokit.issues.createComment({
owner: repoOwner,
repo: repoName,
issue_number: prNumber,
body: `@${comment.user.login} ${aiResponse}`,
});
}
Step 7: Scaling Permissions and Auditing
-
Limit Bot Permissions:
- Use the least-privilege principle to restrict the bot’s access to only what it needs:
- Write access for comments and reviews.
- No push or admin rights.
- Use the least-privilege principle to restrict the bot’s access to only what it needs:
-
Audit Actions:
- Monitor the bot’s activity using GitHub’s audit logs (available for organizations).
Final Setup Recap
- Create a GitHub bot user with a PAT.
- Add the bot as a collaborator or to an organization team.
- Assign the bot as a code owner for specific files or directories.
- Update workflows to use the bot’s PAT for comments and reviews.
- Customize comments to clearly indicate they’re bot-generated.
- Use GitHub APIs to handle responses dynamically.
What This Achieves
- A clean, dedicated identity for AI-generated comments.
- Automatic assignment of the bot as a reviewer for relevant PRs.
- Transparent interactions between the bot and the PR owner, fostering trust in automated feedback.
Let me know if you’d like to dive deeper into any specific part of this setup—whether it’s workflow optimizations, bot persona design, or scaling permissions! 🚀