Summary
Every new PR should get an owned, low-cost review limited to a strict checklist, re-run on every commit until merge, without burning SOTA-model credits. It must catch what AI coding instructions keep failing to prevent: leaked sensitive values, DRY violations, missing side-by-side docs, lint suppression, and commit/PR hygiene.
Research confirmed the vendor paths are dead ends: org-wide Copilot custom instructions need a Copilot seat the org lacks, a repo .github/copilot-instructions.md does not propagate org-wide, and the free Gemini Code Assist GitHub app sunsets 2026-07-17.
Approach
Compose standard published tools (no authored scripts) in a standalone pr-review.yml, injected org-wide via dryvist/terraform-github Required Workflows (same model as markdownlint.yml):
- gitleaks (blocking) — secrets/sensitive values; generic baseline committed, real denylist via the
GITLEAKS_CONFIG_PRIVATE org secret
- amannn/action-semantic-pull-request (blocking) — PR title (Conventional Commits + plain ASCII / no emoji)
- anthropics/claude-code-action on
claude-haiku-4-5 (advisory) — checklist from configs/pr-review-checklist.md
Owner prerequisites (org secrets, visibility: all)
GITLEAKS_LICENSE (free key from gitleaks.io; required for org repos)
ANTHROPIC_API_KEY (advisory pass)
GITLEAKS_CONFIG_PRIVATE (optional private overlay)
Follow-ups
- Inject
pr-review.yml org-wide via dryvist/terraform-github Required Workflows
- Roll out to
JacobPEvans-personal repos (separate account/token tier)
Summary
Every new PR should get an owned, low-cost review limited to a strict checklist, re-run on every commit until merge, without burning SOTA-model credits. It must catch what AI coding instructions keep failing to prevent: leaked sensitive values, DRY violations, missing side-by-side docs, lint suppression, and commit/PR hygiene.
Research confirmed the vendor paths are dead ends: org-wide Copilot custom instructions need a Copilot seat the org lacks, a repo
.github/copilot-instructions.mddoes not propagate org-wide, and the free Gemini Code Assist GitHub app sunsets 2026-07-17.Approach
Compose standard published tools (no authored scripts) in a standalone
pr-review.yml, injected org-wide viadryvist/terraform-githubRequired Workflows (same model asmarkdownlint.yml):GITLEAKS_CONFIG_PRIVATEorg secretclaude-haiku-4-5(advisory) — checklist fromconfigs/pr-review-checklist.mdOwner prerequisites (org secrets, visibility: all)
GITLEAKS_LICENSE(free key from gitleaks.io; required for org repos)ANTHROPIC_API_KEY(advisory pass)GITLEAKS_CONFIG_PRIVATE(optional private overlay)Follow-ups
pr-review.ymlorg-wide viadryvist/terraform-githubRequired WorkflowsJacobPEvans-personalrepos (separate account/token tier)