PR Review Automation Pack

What's in this pack

You're an engineer or tech lead who's tired of skimming 400-line diffs at 5pm to catch typos a linter could have flagged. You want the boring stuff — formatting nits, missing tests, leaked secrets, breaking-change naming, dependency CVEs — caught before a human ever opens the PR. And when a human does open it, you want a structured AI summary at the top so review starts at "is this the right design?" not "what changed?"

This pack assembles nine picks, in deliberate order, that build that layered review stack: a human checklist to anchor the policy, GitHub MCP so Claude can read your PRs, CI-level linting, lint-as-inline-comments, a policy bot, an AI reviewer, a security scanner that actually understands diffs, an adversarial bug hunter that proposes fix patches, and a one-shot slash command to close the loop. Every pick is open-source or has a generous free tier. None of them lock you into a SaaS you can't leave.

Who this is not for: solo hackers on side projects (overkill — install just #1 and #9). Teams already on a $50/seat closed-source platform that does all of this in one box (you're paying for integration; this pack is the open path).

Install in this order

1. AI Code Review Checklist — Ship Better with AI Help — Read this first. It's the policy doc every later tool implements. Covers correctness, security, performance, maintainability, and the failure modes specific to AI-generated diffs. Without a shared definition of "good", you'll just automate the wrong checks loudly.
2. GitHub MCP Server — Official GitHub AI Integration — Wire Claude (or any MCP-compatible agent) into GitHub. PR list, diff, comments, CI status, labels, branches — all typed, no shell parsing. Every later AI tool in this pack assumes the agent can talk to GitHub. Without MCP, your AI reviewer is reading screenshots.
3. Super-Linter — Multi-Language Linter Aggregator for CI — One GitHub Action runs 50+ linters across whatever languages your monorepo has. Cheapest, highest-signal layer. Catches 60% of "why did the build fail" before a human ever sees it. Install before anything fancy.
4. reviewdog — Turn Lint Into PR Review Comments — Super-Linter dumps to logs. reviewdog reads any linter output and posts inline review comments on the exact line. This is the unlock: reviewers stop hunting through CI logs and start clicking expand-thread on real lines. Stack on top of #3 the same week.
5. Danger — Automate PR Review Rules in CI — The policy bot. JavaScript / Ruby DSL: "PR must have description", "CHANGELOG must be updated when touching /api/", "no merges to main without two approvals". Encodes the conventions your team already nags about, so the bot nags instead of you.
6. PR-Agent — AI-Powered Code Review for Pull Requests — Open-source by Qodo. On every PR open: writes a structured description, posts a multi-section review (key changes / suggestions / security / tests), and answers /ask follow-ups in comments. 10K+ stars. This is where the AI first pass actually lives — everything before it was the runway.
7. Claude Code Security Review — PR Audit Action — A GitHub Action that runs Claude over the diff specifically for security: SQL injection, auth bypass, leaked secrets, unsafe deserialization, supply-chain weirdness. Distinct from #6 because it has a security prompt + threat model context. Pairs cleanly; doesn't replace.
8. Bug Hunter — Adversarial AI Code Review + Auto-Fix — The Hunter / Skeptic / Referee multi-agent setup that finds bugs, challenges its own findings, and then proposes auto-fix patches you can apply. This is the "suggested fix" layer most CI bots fake — Bug Hunter actually produces diffs.
9. /commit-push-pr — One-Shot Commit + Push + PR Slash Command — Close the loop on the author side. One slash command: stage changes, write a conventional commit message, push, open the PR. Every layer above now fires automatically on PR open. Your daily workflow collapses from 7 manual steps to 1.

How they fit together

        Author side                          PR opens                  Reviewer side
        ───────────                          ────────                  ─────────────
 /commit-push-pr (#9)  ──push──▶  GitHub PR  ──▶  Super-Linter (#3)  ───┐
                                                  reviewdog (#4)  ─────┤
                                                                       │
                       AI Code Review Checklist (#1)  ─── policy doc ──┤
                                                                       │
                       GitHub MCP (#2) ─── reads PR/diff/CI ───┐       │
                                                               ▼       │
                                                  PR-Agent (#6) ───────┤
                                                  Security Review (#7) ┤
                                                  Bug Hunter (#8 + fix patches)
                                                  Danger (#5 policy gate)
                                                                       │
                                                                       ▼
                                                               Human reviewer
                                                       sees only architectural / taste calls

The load-bearing trio is GitHub MCP (#2) + reviewdog (#4) + PR-Agent (#6) — that's connection, signal-to-noise transformation, and AI judgment. Everything else is depth on those three axes.

Tradeoffs (AI review depth vs noise)

• More AI bots ≠ better review. Every additional reviewer adds comments. PR-Agent + Bug Hunter + Security Review on the same PR can produce 30+ comments on a 50-line diff. Tune each one's threshold to "only critical" before adding the next. Reviewer fatigue is a real cost.
• Super-Linter vs language-native linters. Super-Linter is the one-Action shortcut. If you're a Python-only shop, native ruff + pre-commit runs 10x faster and has fewer false positives. Use Super-Linter to start; graduate to native per-language linters when you have a primary stack.
• Danger vs branch protection rules. GitHub's built-in branch protection covers "require 2 reviews", "require CI green". Danger covers "if you touched the auth module, the security label must be added". Don't try to do both in Danger — let GitHub do the dumb gates, let Danger do the contextual ones.
• AI auto-fix patches (#8) are suggestions, not commits. Bug Hunter proposes patches; a human still has to apply. Resist the urge to auto-merge AI-authored fixes — that's how you ship the "helpful refactor" that broke a downstream consumer at 2am.
• Cost. PR-Agent + Security Review + Bug Hunter each call an LLM on every PR. On a busy repo, that's $50-200/month in API spend. Cheaper than one engineer-hour of review, but budget it.

Common pitfalls

• Skipping #1 (the checklist). Teams install the bots, never write down what "good" means, and then argue forever about whether the bot was "right" to flag something. The checklist is the spec the bots implement.
• Wiring AI tools without MCP (#2). They'll still work (most have GitHub-native integrations) but you'll get worse answers when you @ the bot in a comment, because it can't pull the latest diff or check CI status.
• Letting Super-Linter run on every push. Use paths: filters or matrix splits. Otherwise a one-line README edit triggers a 4-minute lint job. Engineers will start force-pushing past CI to skip it.
• No /never-do for AI reviewers. PR-Agent and Bug Hunter will, given the chance, suggest "rename this variable" forever. Put your team's anti-patterns in their config: don't suggest pure renaming, don't suggest one-character formatting fixes, don't reopen closed threads. Quiet reviewers get read.
• Trusting auto-fix patches without tests. Bug Hunter's auto-fix is plausible, not proven. Require tests pass on the patch branch before a human can merge. Otherwise the "fix" is hallucinated logic that compiles.