Skip to content

Org-wide lightweight PR reviewer (gitleaks + PR-title + cheap-model advisory) #36

Description

@JacobPEvans-personal

Summary

Every new PR should get an owned, low-cost review limited to a strict checklist, re-run on every commit until merge, without burning SOTA-model credits. It must catch what AI coding instructions keep failing to prevent: leaked sensitive values, DRY violations, missing side-by-side docs, lint suppression, and commit/PR hygiene.

Research confirmed the vendor paths are dead ends: org-wide Copilot custom instructions need a Copilot seat the org lacks, a repo .github/copilot-instructions.md does not propagate org-wide, and the free Gemini Code Assist GitHub app sunsets 2026-07-17.

Approach

Compose standard published tools (no authored scripts) in a standalone pr-review.yml, injected org-wide via dryvist/terraform-github Required Workflows (same model as markdownlint.yml):

  • gitleaks (blocking) — secrets/sensitive values; generic baseline committed, real denylist via the GITLEAKS_CONFIG_PRIVATE org secret
  • amannn/action-semantic-pull-request (blocking) — PR title (Conventional Commits + plain ASCII / no emoji)
  • anthropics/claude-code-action on claude-haiku-4-5 (advisory) — checklist from configs/pr-review-checklist.md

Owner prerequisites (org secrets, visibility: all)

  • GITLEAKS_LICENSE (free key from gitleaks.io; required for org repos)
  • ANTHROPIC_API_KEY (advisory pass)
  • GITLEAKS_CONFIG_PRIVATE (optional private overlay)

Follow-ups

  • Inject pr-review.yml org-wide via dryvist/terraform-github Required Workflows
  • Roll out to JacobPEvans-personal repos (separate account/token tier)

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions