Automate Code Reviews: Improve Code Quality with OpenAI and GitHub Pull Requests

Stop wasting time on manual code reviews! Discover how to automatically assess code quality and security using OpenAI reasoning models directly within your GitHub pull request workflow. This guide will show you how to integrate AI-driven insights, catch critical issues early, and maintain consistent code standards.

Why Automate Code Reviews With OpenAI?

Save Time: Automatically identify code smells, security flaws, and style problems.
Enforce Standards: Ensure consistent and reliable code across your organization.
Get Instant Feedback: Give developers immediate AI-powered suggestions for improvements.

Real-World Examples

Pre-Merge Security Check: Review code changes for security vulnerabilities before incorporating them.
Consistent Code Quality: Enforce coding guidelines to maintain uniform code quality across teams.

Step-by-Step: Integrate OpenAI into Your GitHub Workflow

Here's a breakdown of the process:

Generate an OpenAI API Key:
- Navigate to platform.openai.com/api-keys and create a new secret key.
- Securely store the key as OPENAI_API_KEY in your GitHub repository secrets.
Choose Your OpenAI Reasoning Model:
- Select an OpenAI model for deep code analysis. Start with a powerful model and fine-tune your prompts.
Select a Pull Request to Analyze:
- Enable GitHub Actions for your repository.
- Ensure you have permissions to set repository secrets or variables (for PROMPT, MODELNAME, and BEST_PRACTICES).
Define Your Enterprise Coding Standards:
- Store guidelines as a repository variable (BEST_PRACTICES). Include crucial aspects like:
  - Code style & formatting
  - Readability & maintainability
  - Security & compliance
  - Error handling & logging
  - Performance & scalability
  - Testing & QA
  - Documentation & version control
  - Accessibility & internationalization
Craft Your Meta-Prompt:
- Design a prompt to guide OpenAI toward critical checks for security, quality, and best practices. Consider these areas:
  - Code Quality & Standards
  - Security & Vulnerability Analysis
  - Fault Tolerance & Error Handling
  - Performance & Resource Management
  - Step-by-Step Validation
- Encourage thorough reviews with specific feedback for each line of code.

Set Up Your GitHub Actions Workflow for automated code quality checks

This workflow triggers on pull requests to the main branch, performing two key tasks:

Quality and Security Analysis: This analyzes code changes using OpenAI, and then posts suggested fixes within pull request comments.
Enterprise Standard Check: Evaluate the pull request against your coding standards, summarized in simple format with the category name and rating.

name: PR Quality and Security Check

on:
  pull_request:
    branches: [ main ]

permissions:
  contents: read
  pull-requests: write

jobs:
  quality-security-analysis:
    runs-on: ubuntu-latest
    steps:
      - name: Check out code
        uses: actions/checkout@v3
        with:
          fetch-depth: 0 # Ensure full history for proper diff

      - name: Gather Full Code From Changed Files
        run: |
          CHANGED_FILES=$(git diff --name-only origin/main...HEAD)
          echo '{"original files": [' > original_files_temp.json
          for file in $CHANGED_FILES; do
            if [[ $file == *.json ]] || [[ $file == *.png ]]; then
              continue
            fi
            if [ -f "$file" ]; then
              CONTENT=$(jq -Rs . < "$file")
              echo "{\"filename\": \"$file\", \"content\": $CONTENT}," >> original_files_temp.json
            fi
          done
          sed -i '$ s/,$//' original_files_temp.json
          echo "]}" >> original_files_temp.json

      - name: Display Processed Diff (Debug)
        run: cat original_files_temp.json

      - name: Get Diff
        run: |
          git diff origin/main...HEAD \
          | grep '^[+-]' \
          | grep -Ev '^(---|\+\+\+)' > code_changes_only.txt
          jq -Rs '{diff: .}' code_changes_only.txt > diff.json
          if [ -f original_files_temp.json ]; then
            jq -s '.[0] * .[1]' diff.json original_files_temp.json > combined.json
            mv combined.json diff.json

      - name: Display Processed Diff (Debug)
        run: cat diff.json

      - name: Analyze with OpenAI
        env:
          OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }}
        run: |
          DIFF_CONTENT=$(jq -r '.diff' diff.json)
          ORIGINAL_FILES=$(jq -r '."original files"' diff.json)
          PROMPT="Please review the following code changes for any obvious quality or security issues. Provide a brief report in markdown format:\n\nDIFF:\n${DIFF_CONTENT}\n\nORIGINAL FILES:\n${ORIGINAL_FILES}"
          jq -n --arg prompt "$PROMPT" '{
            "model": "gpt-4",
            "messages": [
              { "role": "system", "content": "You are a code reviewer." },
              { "role": "user", "content": $prompt }
            ]
          }' > request.json
          curl -sS https://api.openai.com/v1/chat/completions \
          -H "Content-Type: application/json" \
          -H "Authorization: Bearer ${OPENAI_API_KEY}" \
          -d @request.json > response.json

      - name: Extract Review Message
        id: extract_message
        run: |
          ASSISTANT_MSG=$(jq -r '.choices[0].message.content' response.json)
          {
            echo "message<<EOF"
            echo "$ASSISTANT_MSG"
            echo "EOF"
          } >> $GITHUB_OUTPUT

      - name: Post Comment to PR
        env:
          COMMENT: ${{ steps.extract_message.outputs.message }}
          GH_TOKEN: ${{ github.token }}
        run: |
          gh api \
          repos/${{ github.repository }}/issues/${{ github.event.pull_request.number }}/comments \
          -f body="$COMMENT"
  enterprise-standard-check:
    runs-on: ubuntu-latest
    needs: [ quality-security-analysis]

    steps:
      - name: Checkout code
        uses: actions/checkout@v3
        with:
          fetch-depth: 0 # ensures we get both PR base and head

      - name: Gather Full Code From Changed Files
        run: |
          # Identify changed files from the base (origin/main) to the pull request HEAD
          CHANGED_FILES=$(git diff --name-only origin/main...HEAD)

          # Build a JSON array containing filenames and their content
          echo '{"original files": [' > original_files_temp.json
          for file in $CHANGED_FILES; do
            # Skip .json and .txt files
            if [[ $file == *.json ]] || [[ $file == *.txt ]]; then
              continue
            fi

            # If the file still exists (i.e., wasn't deleted)
            if [ -f "$file" ]; then
              CONTENT=$(jq -Rs . < "$file")
              echo "{\"filename\": \"$file\", \"content\": $CONTENT}," >> original_files_temp.json
            fi
          done

          # Remove trailing comma on the last file entry and close JSON
          sed -i '$ s/,$//' original_files_temp.json
          echo "]}" >> original_files_temp.json

      - name: Analyze Code Against Best Practices
        id: validate
        env:
          OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }}
        run: |
          set -e
          # Read captured code
          ORIGINAL_FILES=$(cat original_files_temp.json)

          # Construct the prompt:
          # - Summarize each best-practice category
          # - Provide a rating for each category: 'extraordinary', 'acceptable', or 'poor'
          # - Return a Markdown table titled 'Enterprise Standards'
          PROMPT="You are an Enterprise Code Assistant. Review each code snippet below for its adherence to the following categories:
          1) Code Style & Formatting
          2) Security & Compliance
          3) Error Handling & Logging
          4) Readability & Maintainability
          5) Performance & Scalability
          6) Testing & Quality Assurance
          7) Documentation & Version Control
          8) Accessibility & Internationalization

          Using \${{ vars.BEST_PRACTICES }} as a reference, assign a rating of 'extraordinary', 'acceptable', or 'poor' for each category. Return a markdown table titled 'Enterprise Standards' with rows for each category and columns for 'Category' and 'Rating'.

          Here are the changed file contents to analyze:
          $ORIGINAL_FILES"

          # Create JSON request for OpenAI
          jq -n --arg system_content "You are an Enterprise Code Assistant ensuring the code follows best practices." \
          --arg user_content "$PROMPT" \
          '{
            "model": "${{ vars.MODELNAME }}",
            "messages": [
              {
                "role": "system",
                "content": $system_content
              },
              {
                "role": "user",
                "content": $user_content
              }
            ]
          }' > request.json

          # Make the API call
          curl -sS https://api.openai.com/v1/chat/completions \
          -H "Content-Type: application/json" \
          -H "Authorization: Bearer $OPENAI_API_KEY" \
          -d @request.json > response.json

          # Extract the model's message
          ASSISTANT_MSG=$(jq -r '.choices[0].message.content' response.json)

          # Store for next step
          {
            echo "review<<EOF"
            echo "$ASSISTANT_MSG"
            echo "EOF"
          } >> $GITHUB_OUTPUT

      - name: Post Table Comment
        env:
          COMMENT: ${{ steps.validate.outputs.review }}
          GH_TOKEN: ${{ github.token }}
        run: |
          # If COMMENT is empty or null, skip posting
          if [ -z "$COMMENT" ] || [ "$COMMENT" = "null" ]; then
            echo "No comment to post."
            exit 0
          fi

          gh api \
          repos/${{ github.repository }}/issues/${{ github.event.pull_request.number }}/comments \
          -f body="$COMMENT"

Key points in the workflow:

Checkout Code: Fetches the code for analysis
Gather Code: Extracts changes for OpenAI.
Analyze with OpenAI: Sends code for review based on your prompt.
Post Comment to PR: Adds AI feedback as a pull request comment.

Test Drive Your Workflow

Commit the workflow file to your repository. Open a new pull request. The workflow automatically executes, adding AI-generated observations as comments.

See It In Action

For a real-world example, check out the OpenAI-Forum repository’s workflow.

Start using these automated workflows and improve code quality by identifying issues early using OpenAI reasoning models. This not only saves time but also promotes code security and enhances team productivity with insights into enterprise coding standards.

Automate Code Reviews: Improve Code Quality with OpenAI and GitHub Pull Requests

Step-by-Step: Integrate OpenAI into Your GitHub Workflow

Here's a breakdown of the process:

Generate an OpenAI API Key:

Navigate to platform.openai.com/api-keys and create a new secret key.
Securely store the key as OPENAI_API_KEY in your GitHub repository secrets.

Choose Your OpenAI Reasoning Model:

Select an OpenAI model for deep code analysis. Start with a powerful model and fine-tune your prompts.

Select a Pull Request to Analyze:

Enable GitHub Actions for your repository.
Ensure you have permissions to set repository secrets or variables (for PROMPT, MODELNAME, and BEST_PRACTICES).

Define Your Enterprise Coding Standards:

Store guidelines as a repository variable (BEST_PRACTICES). Include crucial aspects like:
- Code style & formatting
- Readability & maintainability
- Security & compliance
- Error handling & logging
- Performance & scalability
- Testing & QA
- Documentation & version control
- Accessibility & internationalization

Craft Your Meta-Prompt:

Design a prompt to guide OpenAI toward critical checks for security, quality, and best practices. Consider these areas:
- Code Quality & Standards
- Security & Vulnerability Analysis
- Fault Tolerance & Error Handling
- Performance & Resource Management
- Step-by-Step Validation
Encourage thorough reviews with specific feedback for each line of code.

Set Up Your GitHub Actions Workflow for automated code quality checks

This workflow triggers on pull requests to the main branch, performing two key tasks:

Quality and Security Analysis: This analyzes code changes using OpenAI, and then posts suggested fixes within pull request comments.

Enterprise Standard Check: Evaluate the pull request against your coding standards, summarized in simple format with the category name and rating.

name: PR Quality and Security Check

on:
  pull_request:
    branches: [ main ]

permissions:
  contents: read
  pull-requests: write

jobs:
  quality-security-analysis:
    runs-on: ubuntu-latest
    steps:
      - name: Check out code
        uses: actions/checkout@v3
        with:
          fetch-depth: 0 # Ensure full history for proper diff

      - name: Gather Full Code From Changed Files
        run: |
          CHANGED_FILES=$(git diff --name-only origin/main...HEAD)
          echo '{"original files": [' > original_files_temp.json
          for file in $CHANGED_FILES; do
            if [[ $file == *.json ]] || [[ $file == *.png ]]; then
              continue
            fi
            if [ -f "$file" ]; then
              CONTENT=$(jq -Rs . < "$file")
              echo "{\"filename\": \"$file\", \"content\": $CONTENT}," >> original_files_temp.json
            fi
          done
          sed -i '$ s/,$//' original_files_temp.json
          echo "]}" >> original_files_temp.json

      - name: Display Processed Diff (Debug)
        run: cat original_files_temp.json

      - name: Get Diff
        run: |
          git diff origin/main...HEAD \
          | grep '^[+-]' \
          | grep -Ev '^(---|\+\+\+)' > code_changes_only.txt
          jq -Rs '{diff: .}' code_changes_only.txt > diff.json
          if [ -f original_files_temp.json ]; then
            jq -s '.[0] * .[1]' diff.json original_files_temp.json > combined.json
            mv combined.json diff.json

      - name: Display Processed Diff (Debug)
        run: cat diff.json

      - name: Analyze with OpenAI
        env:
          OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }}
        run: |
          DIFF_CONTENT=$(jq -r '.diff' diff.json)
          ORIGINAL_FILES=$(jq -r '."original files"' diff.json)
          PROMPT="Please review the following code changes for any obvious quality or security issues. Provide a brief report in markdown format:\n\nDIFF:\n${DIFF_CONTENT}\n\nORIGINAL FILES:\n${ORIGINAL_FILES}"
          jq -n --arg prompt "$PROMPT" '{
            "model": "gpt-4",
            "messages": [
              { "role": "system", "content": "You are a code reviewer." },
              { "role": "user", "content": $prompt }
            ]
          }' > request.json
          curl -sS https://api.openai.com/v1/chat/completions \
          -H "Content-Type: application/json" \
          -H "Authorization: Bearer ${OPENAI_API_KEY}" \
          -d @request.json > response.json

      - name: Extract Review Message
        id: extract_message
        run: |
          ASSISTANT_MSG=$(jq -r '.choices[0].message.content' response.json)
          {
            echo "message<<EOF"
            echo "$ASSISTANT_MSG"
            echo "EOF"
          } >> $GITHUB_OUTPUT

      - name: Post Comment to PR
        env:
          COMMENT: ${{ steps.extract_message.outputs.message }}
          GH_TOKEN: ${{ github.token }}
        run: |
          gh api \
          repos/${{ github.repository }}/issues/${{ github.event.pull_request.number }}/comments \
          -f body="$COMMENT"
  enterprise-standard-check:
    runs-on: ubuntu-latest
    needs: [ quality-security-analysis]

    steps:
      - name: Checkout code
        uses: actions/checkout@v3
        with:
          fetch-depth: 0 # ensures we get both PR base and head

      - name: Gather Full Code From Changed Files
        run: |
          # Identify changed files from the base (origin/main) to the pull request HEAD
          CHANGED_FILES=$(git diff --name-only origin/main...HEAD)

          # Build a JSON array containing filenames and their content
          echo '{"original files": [' > original_files_temp.json
          for file in $CHANGED_FILES; do
            # Skip .json and .txt files
            if [[ $file == *.json ]] || [[ $file == *.txt ]]; then
              continue
            fi

            # If the file still exists (i.e., wasn't deleted)
            if [ -f "$file" ]; then
              CONTENT=$(jq -Rs . < "$file")
              echo "{\"filename\": \"$file\", \"content\": $CONTENT}," >> original_files_temp.json
            fi
          done

          # Remove trailing comma on the last file entry and close JSON
          sed -i '$ s/,$//' original_files_temp.json
          echo "]}" >> original_files_temp.json

      - name: Analyze Code Against Best Practices
        id: validate
        env:
          OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }}
        run: |
          set -e
          # Read captured code
          ORIGINAL_FILES=$(cat original_files_temp.json)

          # Construct the prompt:
          # - Summarize each best-practice category
          # - Provide a rating for each category: 'extraordinary', 'acceptable', or 'poor'
          # - Return a Markdown table titled 'Enterprise Standards'
          PROMPT="You are an Enterprise Code Assistant. Review each code snippet below for its adherence to the following categories:
          1) Code Style & Formatting
          2) Security & Compliance
          3) Error Handling & Logging
          4) Readability & Maintainability
          5) Performance & Scalability
          6) Testing & Quality Assurance
          7) Documentation & Version Control
          8) Accessibility & Internationalization

          Using \${{ vars.BEST_PRACTICES }} as a reference, assign a rating of 'extraordinary', 'acceptable', or 'poor' for each category. Return a markdown table titled 'Enterprise Standards' with rows for each category and columns for 'Category' and 'Rating'.

          Here are the changed file contents to analyze:
          $ORIGINAL_FILES"

          # Create JSON request for OpenAI
          jq -n --arg system_content "You are an Enterprise Code Assistant ensuring the code follows best practices." \
          --arg user_content "$PROMPT" \
          '{
            "model": "${{ vars.MODELNAME }}",
            "messages": [
              {
                "role": "system",
                "content": $system_content
              },
              {
                "role": "user",
                "content": $user_content
              }
            ]
          }' > request.json

          # Make the API call
          curl -sS https://api.openai.com/v1/chat/completions \
          -H "Content-Type: application/json" \
          -H "Authorization: Bearer $OPENAI_API_KEY" \
          -d @request.json > response.json

          # Extract the model's message
          ASSISTANT_MSG=$(jq -r '.choices[0].message.content' response.json)

          # Store for next step
          {
            echo "review<<EOF"
            echo "$ASSISTANT_MSG"
            echo "EOF"
          } >> $GITHUB_OUTPUT

      - name: Post Table Comment
        env:
          COMMENT: ${{ steps.validate.outputs.review }}
          GH_TOKEN: ${{ github.token }}
        run: |
          # If COMMENT is empty or null, skip posting
          if [ -z "$COMMENT" ] || [ "$COMMENT" = "null" ]; then
            echo "No comment to post."
            exit 0
          fi

          gh api \
          repos/${{ github.repository }}/issues/${{ github.event.pull_request.number }}/comments \
          -f body="$COMMENT"