AI-Powered Code Review with GitHub Actions and OpenAI

Create a workflow that triggers on `pull_request` events and runs on every push to an open PR. Use the `github.event.pull_request.base.sha` and `github.event.pull_request.head.sha` to extract the diff with `git diff`.

Limit the diff to code files (exclude lockfiles, auto-generated assets) with a `pathspec` filter. LLMs have context limits — send only the changed code, not the entire file. For large PRs, review files individually and summarize at the end.

The quality of AI review depends entirely on the prompt. Ask specifically for: logic errors that could cause incorrect behavior, null pointer / undefined access risks, SQL injection or XSS patterns, missing error handling on async operations, and performance pitfalls in hot paths.

Explicitly tell the model to skip style comments, formatting, and variable naming preferences — linters handle those. Ask for structured output (JSON) with severity levels so your action can filter out low-confidence suggestions before posting.

Use the GitHub REST API's `POST /repos/{owner}/{repo}/pulls/{pull_number}/comments` endpoint to post inline comments at specific file line numbers. Include the `commit_id`, `path`, `line`, and `body` fields.

Group related findings into a single comment rather than posting one comment per issue — multiple comments on the same line create noise. Post a summary comment on the PR itself with a count of findings and their severity distribution.

Run the AI reviewer only on PRs with changes above a minimum size threshold (skip 1-line typo fixes). Cache review results for unchanged files using a hash of the file content — avoid re-reviewing code that did not change in a new push to the same PR.

POINTNEXIS uses AI code review as a first-pass layer before human review, not a replacement. It catches the low-hanging fruit so human reviewers can focus on architecture, business logic, and context the AI cannot see.