← Back to Skills Marketplace
GitHub 智能代码审查与 CI/CD 自动化
by
zlszhonglongshen
· GitHub ↗
· v1.0.0
· MIT-0
111
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install github-code-review-cicd
Description
GitHub 智能代码审查与 CI/CD 自动化完整工作流。 场景:收到 PR 或提交代码时,自动完成 AI 代码审查(bug/安全/逻辑问题), 并根据审查结果智能生成或推荐 GitHub Actions CI/CD 工作流。 触发词:代码审查、review PR、生成 CI/CD、GitHub Actions...
README (SKILL.md)
GitHub 智能代码审查与 CI/CD 自动化
技能简介
本技能是一个三阶段自动化工作流,专门用于提升 GitHub 项目代码质量与 CI/CD 效率。
工作流程
阶段一:GitHub 信息收集(github)
使用 gh CLI 获取仓库、PR 或提交的相关信息:
# 查看 PR 详情
gh pr view \x3Cpr-number> --repo \x3Cowner/repo> --json title,body,files,additions,deletions,author
# 获取 PR 变更文件列表
gh pr diff \x3Cpr-number> --repo \x3Cowner/repo>
# 查看最近提交记录
gh api repos/\x3Cowner>/\x3Crepo>/commits?per_page=10
# 列出仓库所有 Actions 工作流
gh workflow list --repo \x3Cowner/repo>
收集以下上下文信息:
- PR 标题、描述、作者
- 变更文件列表(新增/修改/删除)
- 代码行数统计
- 当前 CI 状态
阶段二:AI 代码审查(quack-code-review)
对收集到的代码变更进行深度 AI 审查:
- Bug 检测:空指针、边界条件、异常处理不当
- 安全漏洞:注入风险、敏感信息泄露、不安全依赖
- 逻辑问题:业务逻辑错误、状态机问题、并发安全问题
- 代码质量:风格不一致、重复代码圈复杂度
- 最佳实践:现代语言特性使用、错误处理规范
输出格式:
## 🔍 代码审查报告
### 🔴 严重问题(必须修复)
- [文件:行号] 问题描述
- 修复建议
### 🟡 建议改进
- [文件:行号] 问题描述
- 修复建议
### ✅ 审查通过
- 通过检查项列表
### 📊 统计
- 文件数: X | 新增: +X | 删除: -X
- 严重: X | 建议: X
阶段三:智能 CI/CD 生成(github-actions-generator)
根据阶段二的审查结果与项目技术栈,自动生成 GitHub Actions 工作流:
生成策略:
- Node.js/TypeScript →
node.yml:安装 → lint → test → build - Python →
python.yml:安装依赖 → pytest → 覆盖率报告 - Go →
go.yml:构建 → 测试 → 多平台构建 - Docker 项目 →
docker.yml:构建 → 推送镜像 → 安全扫描 - 审查发现问题 → 在工作流中增加对应检查步骤(如安全扫描、代码覆盖率阈值)
生成的文件:
.github/workflows/ci.yml— 主 CI 工作流.github/workflows/security.yml— 安全扫描(发现安全问题启用).github/workflows/cd.yml— 部署工作流(如适用)
使用说明:
# 生成 Node.js CI 工作流
github-actions-generator --lang node --framework express
# 生成带安全扫描的 Python CI 工作流
github-actions-generator --lang python --security-scan --coverage
# 生成 Docker 构建+推送工作流
github-actions-generator --lang docker --registry ghcr.io
使用场景
| 场景 | 输入 | 输出 |
|---|---|---|
| PR Code Review | PR 链接或 owner/repo#pr-number |
审查报告 + PR 评论 |
| 提交审查 | 提交 SHA 或 commit message | 审查报告 |
| 新项目 CI 搭建 | 仓库 URL + 技术栈 | 完整 CI/CD 工作流 |
| 安全合规检查 | 仓库 URL | 安全扫描报告 + 修复建议 |
依赖工具
ghCLI(GitHub 官方命令行工具)quack-code-review(LogicArt AI 代码分析)github-actions-generator(Sunshine-Del 团队出品)
最佳实践
- 每次提交必审查:配合 GitHub Actions 自动触发,在代码合并前发现问题
- 审查结果写入 PR 评论:使用
gh pr comment将报告自动写入 PR - CI 工作流渐进生成:先审查再生成,确保工作流覆盖已有问题
- 安全优先:发现安全漏洞时,自动启用
security.yml工作流
注意事项
- 审查报告仅作为辅助建议,最终决策由开发者负责
- 生成的 CI/CD 工作流需根据实际项目需求调整
- 敏感信息(如密钥、Token)不要在审查报告中暴露
Usage Guidance
This skill is coherent with its stated goal (it uses the gh CLI to fetch PR data, calls an AI reviewer, then generates workflow files and posts PR comments). Before installing or enabling it: 1) review the raw SKILL.md/README for hidden characters (the scan found unicode control chars) and remove or ask the author to explain them; 2) verify and trust the third-party tools referenced (quack-code-review and github-actions-generator) — confirm their source and permissions; 3) ensure the GitHub credentials used (gh auth / GITHUB_TOKEN) have minimal scopes (repo actions as needed) and are not shared broadly; 4) test the workflow in a sandbox repo (no secrets) to confirm it only reads repository data and posts intended comments; 5) if you need higher assurance, ask the publisher for a homepage/origin and source code for the referenced tools. If any of these checks fail or the author cannot explain the control characters and third-party tooling, avoid enabling the skill.
Capability Analysis
Type: OpenClaw Skill
Name: github-code-review-cicd
Version: 1.0.0
The skill bundle automates GitHub code reviews and CI/CD generation using the `gh` CLI and third-party skills. It is classified as suspicious due to its high-privilege access to repository data (reading code and posting comments) and the inherent risk of indirect prompt injection when processing PR diffs without sanitization. Furthermore, `workflow.json` contains significant structural syntax errors (invalid JSON nesting) that could cause unexpected behavior during execution, and the workflow relies on external, non-standard skills (`quack-code-review` and `github-actions-generator`) whose internal logic is not provided.
Capability Assessment
Purpose & Capability
Name/description match the instructions: the SKILL.md describes collecting PR/repo info via the gh CLI, running an AI review, and generating GitHub Actions workflows. Declared dependencies (gh, quack-code-review, github-actions-generator) are coherent with the stated purpose.
Instruction Scope
Instructions are mostly narrow and limited to repository- and PR-scoped operations (gh pr view/diff, analyze pr-diff.txt, generate workflows, post PR comments). However, the SKILL.md contains unicode control characters (prompt-injection signal) which may be attempting to hide or manipulate runtime prompts/behavior; this is a red flag because it can alter how the agent executes or interprets instructions. Also the skill implicitly requires authenticated gh access but does not explicitly declare required auth/env vars.
Install Mechanism
Instruction-only skill (no install spec, no code files to execute). Lowest install risk. It assumes external CLIs/tools are present but does not fetch or install code itself.
Credentials
The skill requests no environment variables in metadata, which is consistent with being instruction-only. In practice it requires an authenticated gh CLI (GITHUB_TOKEN or gh auth login) to read/write PRs and post comments; that credential access is appropriate for the purpose but is not explicitly declared. Also it relies on third-party skills/tools (quack-code-review, github-actions-generator) — their required credentials/permissions are not described here and should be verified.
Persistence & Privilege
Skill is not always-enabled and is user-invocable; it does not request permanent presence or system-wide configuration changes. It does post PR comments (expected behavior) but does not request elevated agent privileges in metadata.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install github-code-review-cicd - After installation, invoke the skill by name or use
/github-code-review-cicd - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
- Initial release of github-code-review-cicd skill.
- Provides an automated workflow for GitHub code review and CI/CD pipeline generation.
- Integrates repository data reading, AI code review for bugs/security/logic, and smart GitHub Actions workflow generation.
- Supports scenarios such as PR/code review, commit analysis, CI/CD setup, and security compliance.
- Utilizes `gh` CLI, `quack-code-review`, and `github-actions-generator` as core tools.
Metadata
Frequently Asked Questions
What is GitHub 智能代码审查与 CI/CD 自动化?
GitHub 智能代码审查与 CI/CD 自动化完整工作流。 场景:收到 PR 或提交代码时,自动完成 AI 代码审查(bug/安全/逻辑问题), 并根据审查结果智能生成或推荐 GitHub Actions CI/CD 工作流。 触发词:代码审查、review PR、生成 CI/CD、GitHub Actions... It is an AI Agent Skill for Claude Code / OpenClaw, with 111 downloads so far.
How do I install GitHub 智能代码审查与 CI/CD 自动化?
Run "/install github-code-review-cicd" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is GitHub 智能代码审查与 CI/CD 自动化 free?
Yes, GitHub 智能代码审查与 CI/CD 自动化 is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does GitHub 智能代码审查与 CI/CD 自动化 support?
GitHub 智能代码审查与 CI/CD 自动化 is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created GitHub 智能代码审查与 CI/CD 自动化?
It is built and maintained by zlszhonglongshen (@zlszhonglongshen); the current version is v1.0.0.
More Skills