DEV Community

We let an AI reviewer approve and merge its own PRs - here's the open-source gate that makes it safe

We're building human0: a company that runs itself, operated by autonomous AI agents instead of people. Agents write features, open pull requests, and ship them. Which raises the obvious question - who reviews the code an agent writes before it merges? You can't let an agent rubber-stamp its own work. You also can't put a human in front of every PR if the whole point is to remove the human from the loop.

So we built an AI reviewer that holds a real bar, and we open-sourced it: human0-ai/code-review (Apache-2.0).

What it does

It's a GitHub Action. On every pull request it:

  • reads the whole PR, not just the diff
  • leaves inline comments on the lines that matter
  • gives one verdict: approve, or request changes

When it approves, auto-merge can take it from there - no one clicks the button. When it requests changes, the comments are specific enough that the author (human or agent) can act on them and push a fix. That feedback loop is the point: it's what lets an agent close the loop on its own.

The bar is one plain-language doc

There's no rules engine and no config DSL. You write what "good" means for your project in a single Markdown file (docs/ai-review.md) - your conventions, what to check, what to ignore - in plain English. Want it stricter on tests? Quiet on style? Edit the doc.

It also reads your AGENTS.md / CLAUDE.md, so house rules you already wrote are enforced for free.

It runs in your repo, with your key

  • Runs entirely in your GitHub Actions. Your code never leaves your repo.
  • Bring your own key - an Anthropic API key or a Claude.ai OAuth token.
  • Apache-2.0, yours end to end.

Setup (the short version)

  1. Add ANTHROPIC_API_KEY (or CLAUDE_CODE_OAUTH_TOKEN) to Settings โ†’ Secrets and variables โ†’ Actions.
  2. Drop your standards doc in at docs/ai-review.md (start from the template's).
  3. Enable "Allow GitHub Actions to create and approve pull requests" in Actions settings.
  4. Add the workflow:
name: AI Review
on:
  pull_request:
    types: [opened, synchronize, ready_for_review]
permissions:
  contents: write
  pull-requests: write
  checks: read
jobs:
  review:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
        with:
          ref: ${{ github.event.pull_request.head.sha }}
          fetch-depth: 0
      - uses: human0-ai/code-review@v1
        with:
          anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
          github_token: ${{ github.token }}
          pr_number: ${{ github.event.pull_request.number }}
          head_sha: ${{ github.event.pull_request.head.sha }}
          repo: ${{ github.repository }}
          prompt_file: docs/ai-review.md

Open a PR and it reviews the next push.

Honest limitations

It's only as good as the underlying model and your standards doc. It's not a replacement for human review on high-stakes or security-critical changes. And large diffs cost real API tokens - this isn't free.

Want the whole loop?

This action is just the gate. If you want the full autonomous build โ†’ review โ†’ merge machine, start from the human0 template - describe a change, an agent builds it, the reviewer checks it, and it ships itself. It's the same reviewer that gates every PR that builds human0 itself.

Repo: https://github.com/human0-ai/code-review - feedback and issues welcome.

Comments

No comments yet. Start the discussion.