Add multi-provider code review to GitHub Action #7404
Conversation
- Run parallel reviews with multiple free opencode providers - Synthesize results into comprehensive code review - Add configurable provider list via REVIEW_PROVIDERS env var - Include error handling and timeout management - Add documentation for the feature Providers: big-pickle, grok-code, minimax-m2.1-free, glm-4.7-free
|
Hey! Your PR title Please update it to start with one of:
Where See CONTRIBUTING.md for details. |
|
The following comment was made by an LLM, it may be inaccurate: No duplicate PRs found |
There was a problem hiding this comment.
Pull request overview
This PR adds a multi-provider code review feature to the GitHub Action that runs parallel reviews with multiple free AI providers and synthesizes the results into a comprehensive review.
Key changes:
- Created a new TypeScript script that orchestrates parallel code reviews across multiple AI providers
- Modified the GitHub workflow to use environment-based configuration for provider selection
- Added comprehensive documentation for the multi-provider review feature
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 14 comments.
| File | Description |
|---|---|
| github/multi-review.ts | New script implementing parallel review execution, error handling, and synthesis logic |
| .github/workflows/review.yml | Updated workflow to configure and invoke multi-provider reviews via environment variables |
| github/MULTI_REVIEW.md | Documentation explaining the feature, configuration, and usage |
Comments suppressed due to low confidence (1)
.github/workflows/review.yml:64
- Missing input validation: The PR_BODY variable (from jq output) and PR_TITLE are directly interpolated into the REVIEW_PROMPT environment variable without validation or escaping. If these contain double quotes or other special characters, they could break the shell script or cause unexpected behavior when passed to the multi-review.ts script.
PR_BODY=$(jq -r .body pr_data.json)
PR_NUMBER="${{ steps.pr-number.outputs.number }}"
export REVIEW_PROMPT="A new pull request has been created: '${PR_TITLE}'
<pr-number>
$PR_NUMBER
</pr-number>
<pr-description>
$PR_BODY
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| return { | ||
| provider, | ||
| output: `Error: Review failed for ${provider}`, | ||
| } |
There was a problem hiding this comment.
Poor error handling design: When a review fails, the function returns a ReviewResult with output set to a generic error message string. This makes it impossible for callers to distinguish between a successful review that happened to output "Error: Review failed..." and an actual failure. Consider adding an error field to the ReviewResult type or using a discriminated union to properly distinguish between success and failure cases.
| const result = execSync(`opencode run -m ${provider} -- "${REVIEW_PROMPT}"`, { | ||
| encoding: "utf8", | ||
| timeout: 300000, // 5 minutes timeout | ||
| }) |
There was a problem hiding this comment.
Potential buffer overflow: The execSync call doesn't specify a maxBuffer option, which defaults to 1MB. Code reviews could potentially produce output larger than this limit, causing the command to fail with a "maxBuffer exceeded" error. Consider adding a maxBuffer option (e.g., maxBuffer: 10 * 1024 * 1024 for 10MB) to handle larger outputs.
| Please provide the synthesized review:` | ||
|
|
||
| try { | ||
| const synthesisResult = execSync(`opencode run -m opencode/big-pickle -- "${synthesisPrompt}"`, { |
There was a problem hiding this comment.
Command injection vulnerability: The synthesisPrompt is directly interpolated into a shell command without proper escaping. The aggregated reviews may contain user-controlled content (from PR descriptions, code, etc.) that could include shell metacharacters, leading to command injection. Use array-based command execution or properly escape the prompt.
| console.log(`Starting review with provider: ${provider}`) | ||
|
|
||
| try { | ||
| const result = execSync(`opencode run -m ${provider} -- "${REVIEW_PROMPT}"`, { |
There was a problem hiding this comment.
Potential command injection vulnerability: The provider variable is directly interpolated into a shell command. While REVIEW_PROVIDERS comes from a controlled environment variable, if it contains shell metacharacters, it could break the command or lead to unintended execution. Consider validating the provider format or using array-based command execution.
|
|
||
| process.stdout.write(synthesis) |
There was a problem hiding this comment.
Code duplication: The synthesis output is logged twice - once via console.log and once via process.stdout.write. The process.stdout.write on line 89 appears to duplicate the console.log on line 87. Consider removing the redundant output or clarifying if both are needed for different purposes.
| process.stdout.write(synthesis) |
| try { | ||
| const result = execSync(`opencode run -m ${provider} -- "${REVIEW_PROMPT}"`, { | ||
| encoding: "utf8", | ||
| timeout: 300000, // 5 minutes timeout | ||
| }) | ||
| return { | ||
| provider, | ||
| output: result, | ||
| } | ||
| } catch (error) { | ||
| console.error(`Error running review with ${provider}:`, error) | ||
| return { | ||
| provider, | ||
| output: `Error: Review failed for ${provider}`, | ||
| } | ||
| } |
There was a problem hiding this comment.
Code style violation: The code uses try/catch blocks extensively, which goes against the project's style guide that states "AVOID try/catch where possible". Consider handling errors through return values or other patterns consistent with the project's style.
|
|
||
| const REVIEW_PROVIDERS = process.env.REVIEW_PROVIDERS?.split(",").map((p) => p.trim()) || [] | ||
| const REVIEW_PROMPT = process.env.REVIEW_PROMPT || "" | ||
| // ANTHROPIC_API_KEY is optional for testing |
There was a problem hiding this comment.
Misleading or outdated comment: The comment states "ANTHROPIC_API_KEY is optional for testing" but this variable is not used anywhere in this file. The multi-review.ts script uses opencode providers, not Anthropic. This comment should be removed or updated to reflect the actual usage.
| // ANTHROPIC_API_KEY is optional for testing |
| - Running parallel reviews with error handling | ||
| - 5-minute timeout per provider | ||
| - Graceful fallback if a provider fails | ||
| - Synthesis using the first provider in the list |
There was a problem hiding this comment.
Misleading documentation: The documentation states "Synthesis using the first provider in the list", but the code hardcodes "opencode/big-pickle" for synthesis (line 65 of multi-review.ts) rather than using REVIEW_PROVIDERS[0]. While these happen to match in the current configuration, if someone changes the provider list order or removes big-pickle, the synthesis would still try to use big-pickle. Either update the code to use REVIEW_PROVIDERS[0] or clarify the documentation to state the specific hardcoded provider.
| - Synthesis using the first provider in the list | |
| - Synthesis using the dedicated `opencode/big-pickle` provider |
| console.log(`Running reviews with ${REVIEW_PROVIDERS.length} providers: ${REVIEW_PROVIDERS.join(", ")}`) | ||
| console.log(`Prompt length: ${REVIEW_PROMPT.length} characters`) | ||
|
|
||
| const results = await Promise.all(REVIEW_PROVIDERS.map((provider) => runReview(provider))) |
There was a problem hiding this comment.
Potential performance issue: Running 4 parallel reviews with Promise.all could cause rate limiting issues or excessive resource consumption. Each review has a 5-minute timeout, and if all fail slowly, this could take up to 5 minutes. Consider adding configuration for maximum concurrency or implementing sequential execution with a configurable parallelism limit.
| // ANTHROPIC_API_KEY is optional for testing | ||
|
|
||
| if (REVIEW_PROVIDERS.length === 0) { | ||
| console.error("REVIEW_PROVIDERS not set") |
There was a problem hiding this comment.
Unhelpful error message: The error message "REVIEW_PROVIDERS not set" doesn't provide guidance on how to fix the issue or what format is expected. Consider adding more context, such as "REVIEW_PROVIDERS environment variable must be set to a comma-separated list of provider models (e.g., 'opencode/big-pickle,opencode/grok-code')".
| console.error("REVIEW_PROVIDERS not set") | |
| console.error( | |
| "REVIEW_PROVIDERS environment variable must be set to a comma-separated list of provider models (e.g., 'opencode/big-pickle,opencode/grok-code').", | |
| ) |
4 participants
Summary
Changes
github/multi-review.tsscript to handle parallel reviews.github/workflows/review.ymlto use multiple providersgithub/MULTI_REVIEW.mddocumentationProviders Used
opencode/big-pickle- Large reasoning modelopencode/grok-code- Code-specialized modelopencode/minimax-m2.1-free- Free tier modelopencode/glm-4.7-free- Free GLM modelBenefits