code-review
Compare original and translation side by side
🇺🇸
Original
English🇨🇳
Translation
ChineseCode Review Skill
Code Review Skill
Load with: base.md + [codex-review.md for OpenAI Codex] + [gemini-review.md for Google Gemini]
Purpose: Enforce automated code reviews as a mandatory guardrail before every commit and deployment. Choose between Claude, OpenAI Codex, Google Gemini, or multiple engines for comprehensive analysis.
加载方式:base.md + [适用于OpenAI Codex的codex-review.md] + [适用于Google Gemini的gemini-review.md]
用途: 在每次提交和部署前,将自动化代码审查作为强制保障措施。可选择Claude、OpenAI Codex、Google Gemini或多个引擎进行全面分析。
Review Engine Choice
审查引擎选择
When running , users can choose their preferred review engine:
/code-review┌─────────────────────────────────────────────────────────────────┐
│ CODE REVIEW - Choose Your Engine │
├─────────────────────────────────────────────────────────────────┤
│ │
│ ○ Claude (default) │
│ Built-in, no extra setup, full conversation context │
│ │
│ ○ OpenAI Codex CLI │
│ GPT-5.2-Codex specialized for code review, 88% detection │
│ Requires: npm install -g @openai/codex │
│ │
│ ○ Google Gemini CLI │
│ Gemini 2.5 Pro with 1M token context, free tier available │
│ Requires: npm install -g @google/gemini-cli │
│ │
│ ○ Dual Engine (any two) │
│ Run two engines, compare findings, catch more issues │
│ │
│ ○ All Three (maximum coverage) │
│ Run Claude + Codex + Gemini for critical/security code │
│ │
└─────────────────────────────────────────────────────────────────┘运行时,用户可以选择偏好的审查引擎:
/code-review┌─────────────────────────────────────────────────────────────────┐
│ CODE REVIEW - Choose Your Engine │
├─────────────────────────────────────────────────────────────────┤
│ │
│ ○ Claude (default) │
│ Built-in, no extra setup, full conversation context │
│ │
│ ○ OpenAI Codex CLI │
│ GPT-5.2-Codex specialized for code review, 88% detection │
│ Requires: npm install -g @openai/codex │
│ │
│ ○ Google Gemini CLI │
│ Gemini 2.5 Pro with 1M token context, free tier available │
│ Requires: npm install -g @google/gemini-cli │
│ │
│ ○ Dual Engine (any two) │
│ Run two engines, compare findings, catch more issues │
│ │
│ ○ All Three (maximum coverage) │
│ Run Claude + Codex + Gemini for critical/security code │
│ │
└─────────────────────────────────────────────────────────────────┘Engine Comparison
引擎对比
| Aspect | Claude | Codex | Gemini | Multi-Engine |
|---|---|---|---|---|
| Setup | None | npm + OpenAI API | npm + Google Account | All setups |
| Speed | Fast | Fast | Fast | 2-3x time |
| Context | Conversation | Fresh per review | 1M tokens | N/A |
| Detection | Good | 88% (best) | 63.8% SWE-Bench | Combined |
| Free Tier | N/A | Limited | 1,000/day | Varies |
| Best for | Quick reviews | High accuracy | Large codebases | Critical code |
| 方面 | Claude | Codex | Gemini | 多引擎 |
|---|---|---|---|---|
| 设置 | 无需设置 | npm + OpenAI API | npm + Google账号 | 需完成所有对应设置 |
| 速度 | 快 | 快 | 快 | 2-3倍耗时 |
| 上下文 | 对话上下文 | 每次审查全新上下文 | 1M tokens | 不适用 |
| 检测率 | 良好 | 88%(最佳) | 63.8% SWE-Bench | 综合检测 |
| 免费额度 | 无 | 有限额度 | 每日1000次 | 依引擎而定 |
| 最佳适用场景 | 快速流程内审查、探索性审查 | CI/CD自动化、需要高准确率 | 大型代码库(100+文件)、免费使用 | 关键代码审查 |
Set Default Engine
设置默认引擎
toml
undefinedtoml
undefined~/.claude/settings.toml or project CLAUDE.md
~/.claude/settings.toml 或项目CLAUDE.md
[code-review]
default_engine = "claude" # Options: claude, codex, gemini, dual, all
undefined[code-review]
default_engine = "claude" # 可选值: claude, codex, gemini, dual, all
undefinedUsage Examples
使用示例
bash
undefinedbash
undefinedUse default engine
使用默认引擎
/code-review
/code-review
Explicitly choose engine
明确指定引擎
/code-review --engine claude
/code-review --engine codex
/code-review --engine gemini
/code-review --engine claude
/code-review --engine codex
/code-review --engine gemini
Dual engine (pick any two)
双引擎模式(任意两个)
/code-review --engine claude,codex
/code-review --engine claude,gemini
/code-review --engine codex,gemini
/code-review --engine claude,codex
/code-review --engine claude,gemini
/code-review --engine codex,gemini
All three engines
三引擎模式
/code-review --engine all
/code-review --engine all
Quick shortcuts
快捷命令
/code-review # Uses default
/code-review --codex # Use Codex
/code-review --gemini # Use Gemini
/code-review --all # All three engines
---/code-review # 使用默认引擎
/code-review --codex # 使用Codex
/code-review --gemini # 使用Gemini
/code-review --all # 使用全部三个引擎
---Multi-Engine Output
多引擎输出
When using multiple engines, findings are compared and deduplicated:
使用多引擎时,会对审查结果进行对比和去重:
Dual Engine Example
双引擎示例
┌─────────────────────────────────────────────────────────────────┐
│ CODE REVIEW RESULTS - DUAL ENGINE (Claude + Codex) │
├─────────────────────────────────────────────────────────────────┤
│ │
│ ✅ AGREED (Found by both): │
│ 🔴 SQL injection in auth.ts:45 │
│ 🟡 Missing error handling in api.ts:112 │
│ │
│ 🔷 CLAUDE ONLY: │
│ 🟠 Potential race condition in worker.ts:89 │
│ 🟢 Consider extracting helper function │
│ │
│ 🔶 CODEX ONLY: │
│ 🟠 Memory leak - unclosed stream in upload.ts:34 │
│ 🟡 N+1 query pattern in orders.ts:156 │
│ │
├─────────────────────────────────────────────────────────────────┤
│ SUMMARY │
│ Agreed: 2 | Claude only: 2 | Codex only: 2 │
│ Critical: 1 | High: 2 | Medium: 2 | Low: 1 │
│ Status: ❌ BLOCKED - Fix critical/high issues │
└─────────────────────────────────────────────────────────────────┘┌─────────────────────────────────────────────────────────────────┐
│ CODE REVIEW RESULTS - DUAL ENGINE (Claude + Codex) │
├─────────────────────────────────────────────────────────────────┤
│ │
│ ✅ AGREED (Found by both): │
│ 🔴 SQL injection in auth.ts:45 │
│ 🟡 Missing error handling in api.ts:112 │
│ │
│ 🔷 CLAUDE ONLY: │
│ 🟠 Potential race condition in worker.ts:89 │
│ 🟢 Consider extracting helper function │
│ │
│ 🔶 CODEX ONLY: │
│ 🟠 Memory leak - unclosed stream in upload.ts:34 │
│ 🟡 N+1 query pattern in orders.ts:156 │
│ │
├─────────────────────────────────────────────────────────────────┤
│ SUMMARY │
│ Agreed: 2 | Claude only: 2 | Codex only: 2 │
│ Critical: 1 | High: 2 | Medium: 2 | Low: 1 │
│ Status: ❌ BLOCKED - Fix critical/high issues │
└─────────────────────────────────────────────────────────────────┘Triple Engine Example (All Three)
三引擎示例(全部三个)
┌─────────────────────────────────────────────────────────────────┐
│ CODE REVIEW RESULTS - TRIPLE ENGINE │
├─────────────────────────────────────────────────────────────────┤
│ │
│ ✅ UNANIMOUS (All 3 found): │
│ 🔴 SQL injection in auth.ts:45 │
│ │
│ ✅ MAJORITY (2 of 3 found): │
│ 🟠 Memory leak - unclosed stream in upload.ts:34 (Codex+Gemini)│
│ 🟡 Missing error handling in api.ts:112 (Claude+Codex) │
│ │
│ 🔷 CLAUDE ONLY: │
│ 🟠 Potential race condition in worker.ts:89 │
│ │
│ 🔶 CODEX ONLY: │
│ 🟡 N+1 query pattern in orders.ts:156 │
│ │
│ 🟢 GEMINI ONLY: │
│ 🟡 Consider using batch API for better performance │
│ 🟢 Type could be more specific in types.ts:23 │
│ │
├─────────────────────────────────────────────────────────────────┤
│ SUMMARY │
│ Unanimous: 1 | Majority: 2 | Single: 5 │
│ Critical: 1 | High: 2 | Medium: 3 | Low: 2 │
│ Status: ❌ BLOCKED - Fix critical/high issues │
└─────────────────────────────────────────────────────────────────┘┌─────────────────────────────────────────────────────────────────┐
│ CODE REVIEW RESULTS - TRIPLE ENGINE │
├─────────────────────────────────────────────────────────────────┤
│ │
│ ✅ UNANIMOUS (All 3 found): │
│ 🔴 SQL injection in auth.ts:45 │
│ │
│ ✅ MAJORITY (2 of 3 found): │
│ 🟠 Memory leak - unclosed stream in upload.ts:34 (Codex+Gemini)│
│ 🟡 Missing error handling in api.ts:112 (Claude+Codex) │
│ │
│ 🔷 CLAUDE ONLY: │
│ 🟠 Potential race condition in worker.ts:89 │
│ │
│ 🔶 CODEX ONLY: │
│ 🟡 N+1 query pattern in orders.ts:156 │
│ │
│ 🟢 GEMINI ONLY: │
│ 🟡 Consider using batch API for better performance │
│ 🟢 Type could be more specific in types.ts:23 │
│ │
├─────────────────────────────────────────────────────────────────┤
│ SUMMARY │
│ Unanimous: 1 | Majority: 2 | Single: 5 │
│ Critical: 1 | High: 2 | Medium: 3 | Low: 2 │
│ Status: ❌ BLOCKED - Fix critical/high issues │
└─────────────────────────────────────────────────────────────────┘When to Use Each Mode
各模式适用场景
| Mode | Use When |
|---|---|
| Single (Claude) | Quick in-flow reviews, exploration |
| Single (Codex) | CI/CD automation, high accuracy needed |
| Single (Gemini) | Large codebases (100+ files), free tier |
| Dual | Important PRs, pre-merge reviews |
| Triple (All) | Security-critical code, payment systems, auth |
| 模式 | 适用场景 |
|---|---|
| 单引擎(Claude) | 快速流程内审查、探索性开发 |
| 单引擎(Codex) | CI/CD自动化、需要高准确率 |
| 单引擎(Gemini) | 大型代码库(100+文件)、免费使用 |
| 双引擎 | 重要PR、合并前审查 |
| 三引擎(全部) | 安全关键代码、支付系统、认证模块 |
Core Philosophy
核心理念
┌─────────────────────────────────────────────────────────────────┐
│ CODE REVIEW IS NON-NEGOTIABLE │
│ ───────────────────────────────────────────────────────────── │
│ │
│ Every commit must pass code review. │
│ Every PR must be reviewed before merge. │
│ Every deployment must include review sign-off. │
│ │
│ AI catches what humans miss. Humans catch what AI misses. │
│ Together: fewer bugs, cleaner code, better security. │
├─────────────────────────────────────────────────────────────────┤
│ INVOKE: /code-review │
│ PLUGIN: code-review@claude-plugins-official │
└─────────────────────────────────────────────────────────────────┘┌─────────────────────────────────────────────────────────────────┐
│ CODE REVIEW IS NON-NEGOTIABLE │
│ ───────────────────────────────────────────────────────────── │
│ │
│ Every commit must pass code review. │
│ Every PR must be reviewed before merge. │
│ Every deployment must include review sign-off. │
│ │
│ AI catches what humans miss. Humans catch what AI misses. │
│ Together: fewer bugs, cleaner code, better security. │
├─────────────────────────────────────────────────────────────────┤
│ INVOKE: /code-review │
│ PLUGIN: code-review@claude-plugins-official │
└─────────────────────────────────────────────────────────────────┘When to Run Code Review
代码审查的执行时机
Mandatory Review Points
强制审查节点
| Trigger | Action | Command |
|---|---|---|
| Before commit | Review staged changes | |
| Before PR | Review all changes vs base | |
| Before merge | Final review of PR | |
| Before deploy | Review deployment diff | |
| 触发条件 | 操作 | 命令 |
|---|---|---|
| 提交前 | 审查暂存的更改 | |
| 创建PR前 | 审查与基准版本的所有差异 | |
| 合并前 | 对PR进行最终审查 | |
| 部署前 | 审查部署差异 | |
Automatic Integration
自动化集成
Run code review automatically before every commit:
┌─────────────────────────────────────────────────────────────────┐
│ COMMIT WORKFLOW │
│ ───────────────────────────────────────────────────────────── │
│ │
│ 1. Write code │
│ 2. Run tests (TDD - must pass) │
│ 3. Run /code-review ← MANDATORY │
│ 4. Address critical/high issues │
│ 5. Commit │
│ 6. Push │
│ │
│ Skip step 3? ❌ NO COMMIT ALLOWED │
└─────────────────────────────────────────────────────────────────┘在每次提交前自动运行代码审查:
┌─────────────────────────────────────────────────────────────────┐
│ COMMIT WORKFLOW │
│ ───────────────────────────────────────────────────────────── │
│ │
│ 1. Write code │
│ 2. Run tests (TDD - must pass) │
│ 3. Run /code-review ← MANDATORY │
│ 4. Address critical/high issues │
│ 5. Commit │
│ 6. Push │
│ │
│ Skip step 3? ❌ NO COMMIT ALLOWED │
└─────────────────────────────────────────────────────────────────┘Using the Code Review Plugin
使用代码审查插件
Basic Usage
基础用法
bash
undefinedbash
undefinedReview current changes
审查当前更改
/code-review
/code-review
Review specific files
审查特定文件
/code-review src/auth/*.ts
/code-review src/auth/*.ts
Review a PR
审查PR
/code-review --pr 123
/code-review --pr 123
Review with specific focus
聚焦特定维度审查
/code-review --focus security
/code-review --focus performance
/code-review --focus architecture
undefined/code-review --focus security
/code-review --focus performance
/code-review --focus architecture
undefinedReview Categories
审查维度
The code review plugin analyzes:
| Category | What It Checks |
|---|---|
| Security | Vulnerabilities, injection risks, auth issues, secrets |
| Performance | N+1 queries, memory leaks, inefficient algorithms |
| Architecture | Design patterns, SOLID principles, coupling |
| Code Quality | Readability, complexity, duplication |
| Best Practices | Language idioms, framework conventions |
| Testing | Coverage gaps, test quality, edge cases |
| Documentation | Missing docs, outdated comments |
代码审查插件会从以下维度分析:
| 维度 | 检查内容 |
|---|---|
| 安全 | 漏洞、注入风险、认证问题、密钥泄露 |
| 性能 | N+1查询、内存泄漏、低效算法 |
| 架构 | 设计模式、SOLID原则、耦合度 |
| 代码质量 | 可读性、复杂度、代码重复 |
| 最佳实践 | 语言特性、框架规范 |
| 测试 | 覆盖率缺口、测试质量、边缘场景 |
| 文档 | 缺失文档、过时注释 |
Severity Levels
严重级别
| Level | Action Required | Can Commit? |
|---|---|---|
| 🔴 Critical | Must fix immediately | ❌ NO |
| 🟠 High | Should fix before commit | ❌ NO |
| 🟡 Medium | Fix soon, can commit | ✅ YES |
| 🟢 Low | Nice to have | ✅ YES |
| ℹ️ Info | Suggestions only | ✅ YES |
| 级别 | 处理要求 | 能否提交 |
|---|---|---|
| 🔴 Critical(严重) | 必须立即修复 | ❌ 不能提交 |
| 🟠 High(高) | 提交前必须修复 | ❌ 不能提交 |
| 🟡 Medium(中) | 尽快修复,可提交 | ✅ 可以提交 |
| 🟢 Low(低) | 可选优化 | ✅ 可以提交 |
| ℹ️ Info(信息) | 仅建议 | ✅ 可以提交 |
Pre-Commit Hook Integration
提交前钩子集成
Install Pre-Commit Hook
安装提交前钩子
bash
#!/bin/bashbash
#!/bin/bash.git/hooks/pre-commit
.git/hooks/pre-commit
echo "🔍 Running code review..."
echo "🔍 Running code review..."
Run Claude code review on staged files
Run Claude code review on staged files
STAGED_FILES=$(git diff --cached --name-only --diff-filter=ACM | grep -E '.(ts|tsx|js|jsx|py|go|rs)$')
if [ -n "$STAGED_FILES" ]; then
# Invoke code review (requires claude CLI)
claude --print "/code-review $STAGED_FILES" > /tmp/code-review-result.txt 2>&1
# Check for critical/high issues
if grep -q "🔴\|Critical\|🟠\|High" /tmp/code-review-result.txt; then
echo "❌ Code review found critical/high issues:"
cat /tmp/code-review-result.txt
echo ""
echo "Fix these issues before committing."
exit 1
fi
echo "✅ Code review passed"fi
exit 0
undefinedSTAGED_FILES=$(git diff --cached --name-only --diff-filter=ACM | grep -E '.(ts|tsx|js|jsx|py|go|rs)$')
if [ -n "$STAGED_FILES" ]; then
# Invoke code review (requires claude CLI)
claude --print "/code-review $STAGED_FILES" > /tmp/code-review-result.txt 2>&1
# Check for critical/high issues
if grep -q "🔴\|Critical\|🟠\|High" /tmp/code-review-result.txt; then
echo "❌ Code review found critical/high issues:"
cat /tmp/code-review-result.txt
echo ""
echo "Fix these issues before committing."
exit 1
fi
echo "✅ Code review passed"fi
exit 0
undefinedMake Hook Executable
设为可执行权限
bash
chmod +x .git/hooks/pre-commitbash
chmod +x .git/hooks/pre-commitCodex CLI Setup (For Codex/Both Modes)
Codex CLI 设置(适用于Codex/多引擎模式)
If you want to use Codex or Both modes, install the Codex CLI:
bash
undefined如果要使用Codex或多引擎模式,需安装Codex CLI:
bash
undefinedPrerequisites: Node.js 22+
前置要求:Node.js 22+
node --version # Must be 22+
node --version # 必须为22+
Install Codex CLI
安装Codex CLI
npm install -g @openai/codex
npm install -g @openai/codex
Authenticate (choose one):
认证(二选一):
Option 1: ChatGPT subscription (Plus, Pro, Team, Enterprise)
选项1:ChatGPT订阅(Plus、Pro、Team、Enterprise)
codex # Follow prompts to sign in
codex # 按照提示登录
Option 2: API key
选项2:API密钥
export OPENAI_API_KEY=sk-proj-...
undefinedexport OPENAI_API_KEY=sk-proj-...
undefinedVerify Installation
验证安装
bash
undefinedbash
undefinedCheck Codex is installed
检查Codex是否安装成功
codex --version
codex --version
Test review
测试审查功能
codex
/review
See `codex-review.md` skill for full Codex documentation.
---codex
/review
完整的Codex文档请查看`codex-review.md`技能。
---Gemini CLI Setup (For Gemini/Multi-Engine Modes)
Gemini CLI 设置(适用于Gemini/多引擎模式)
If you want to use Gemini or multi-engine modes, install the Gemini CLI:
bash
undefined如果要使用Gemini或多引擎模式,需安装Gemini CLI:
bash
undefinedPrerequisites: Node.js 20+
前置要求:Node.js 20+
node --version # Must be 20+
node --version # 必须为20+
Install Gemini CLI
安装Gemini CLI
npm install -g @google/gemini-cli
npm install -g @google/gemini-cli
Or via Homebrew (macOS)
或通过Homebrew安装(macOS)
brew install gemini-cli
brew install gemini-cli
Install Code Review extension
安装代码审查扩展
gemini extensions install https://github.com/gemini-cli-extensions/code-review
undefinedgemini extensions install https://github.com/gemini-cli-extensions/code-review
undefinedAuthenticate
认证
bash
undefinedbash
undefinedOption 1: Google Account (recommended, 1000 req/day free)
选项1:Google账号(推荐,每日1000次免费请求)
gemini # Follow browser login prompts
gemini # 按照浏览器登录提示操作
Option 2: API key (100 req/day free)
选项2:API密钥(每日100次免费请求)
export GEMINI_API_KEY="your-key-from-aistudio.google.com"
undefinedexport GEMINI_API_KEY="your-key-from-aistudio.google.com"
undefinedVerify Installation
验证安装
bash
undefinedbash
undefinedCheck Gemini is installed
检查Gemini是否安装成功
gemini --version
gemini --version
List extensions
列出已安装扩展
gemini extensions list
gemini extensions list
Test review
测试审查功能
gemini
/code-review
See `gemini-review.md` skill for full Gemini documentation.
---gemini
/code-review
完整的Gemini文档请查看`gemini-review.md`技能。
---CI/CD Integration
CI/CD集成
GitHub Actions - Claude Only
GitHub Actions - 仅使用Claude
yaml
undefinedyaml
undefined.github/workflows/code-review.yml
.github/workflows/code-review.yml
name: Code Review
on:
pull_request:
types: [opened, synchronize, reopened]
jobs:
code-review:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Get changed files
id: changed-files
run: |
echo "files=$(git diff --name-only origin/${{ github.base_ref }}...HEAD | tr '\n' ' ')" >> $GITHUB_OUTPUT
- name: Run Claude Code Review
env:
ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}
run: |
npx @anthropic-ai/claude-code --print "/code-review ${{ steps.changed-files.outputs.files }}" > review.md
- name: Post Review Comment
uses: actions/github-script@v7
with:
script: |
const fs = require('fs');
const review = fs.readFileSync('review.md', 'utf8');
github.rest.issues.createComment({
owner: context.repo.owner,
repo: context.repo.repo,
issue_number: context.issue.number,
body: `## 🔍 Claude Code Review\n\n${review}`
});
- name: Check for Critical Issues
run: |
if grep -q "Critical\|🔴" review.md; then
echo "❌ Critical issues found"
exit 1
fiundefinedname: Code Review
on:
pull_request:
types: [opened, synchronize, reopened]
jobs:
code-review:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Get changed files
id: changed-files
run: |
echo "files=$(git diff --name-only origin/${{ github.base_ref }}...HEAD | tr '\n' ' ')" >> $GITHUB_OUTPUT
- name: Run Claude Code Review
env:
ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}
run: |
npx @anthropic-ai/claude-code --print "/code-review ${{ steps.changed-files.outputs.files }}" > review.md
- name: Post Review Comment
uses: actions/github-script@v7
with:
script: |
const fs = require('fs');
const review = fs.readFileSync('review.md', 'utf8');
github.rest.issues.createComment({
owner: context.repo.owner,
repo: context.repo.repo,
issue_number: context.issue.number,
body: `## 🔍 Claude Code Review\n\n${review}`
});
- name: Check for Critical Issues
run: |
if grep -q "Critical\|🔴" review.md; then
echo "❌ Critical issues found"
exit 1
fiundefinedGitHub Actions - Codex Only
GitHub Actions - 仅使用Codex
yaml
undefinedyaml
undefined.github/workflows/codex-review.yml
.github/workflows/codex-review.yml
name: Codex Code Review
on:
pull_request:
jobs:
review:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Codex Review
uses: openai/codex-action@main
with:
openai_api_key: ${{ secrets.OPENAI_API_KEY }}
model: gpt-5.2-codex
safety_strategy: drop-sudoundefinedname: Codex Code Review
on:
pull_request:
jobs:
review:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Codex Review
uses: openai/codex-action@main
with:
openai_api_key: ${{ secrets.OPENAI_API_KEY }}
model: gpt-5.2-codex
safety_strategy: drop-sudoundefinedGitHub Actions - Both Engines
GitHub Actions - 双引擎模式
yaml
undefinedyaml
undefined.github/workflows/dual-review.yml
.github/workflows/dual-review.yml
name: Dual Code Review
on:
pull_request:
jobs:
claude-review:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Claude Review
env:
ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}
run: |
npx @anthropic-ai/claude-code --print "/code-review" > claude-review.md
- uses: actions/upload-artifact@v4
with:
name: claude-review
path: claude-review.mdcodex-review:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- uses: actions/setup-node@v4
with:
node-version: '22'
- name: Install Codex
run: npm install -g @openai/codex
- name: Codex Review
env:
OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }}
run: |
codex exec --full-auto --sandbox read-only \
--output-last-message codex-review.md \
"Review this code for bugs, security issues, and quality problems"
- uses: actions/upload-artifact@v4
with:
name: codex-review
path: codex-review.mdcombine-reviews:
needs: [claude-review, codex-review]
runs-on: ubuntu-latest
steps:
- uses: actions/download-artifact@v4
- name: Combine Reviews
run: |
echo "## 🔍 Dual Code Review Results" > combined-review.md
echo "" >> combined-review.md
echo "### Claude Findings" >> combined-review.md
cat claude-review/claude-review.md >> combined-review.md
echo "" >> combined-review.md
echo "### Codex Findings" >> combined-review.md
cat codex-review/codex-review.md >> combined-review.md
- name: Post Combined Review
uses: actions/github-script@v7
with:
script: |
const fs = require('fs');
const review = fs.readFileSync('combined-review.md', 'utf8');
github.rest.issues.createComment({
owner: context.repo.owner,
repo: context.repo.repo,
issue_number: context.issue.number,
body: review
});undefinedname: Dual Code Review
on:
pull_request:
jobs:
claude-review:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Claude Review
env:
ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}
run: |
npx @anthropic-ai/claude-code --print "/code-review" > claude-review.md
- uses: actions/upload-artifact@v4
with:
name: claude-review
path: claude-review.mdcodex-review:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- uses: actions/setup-node@v4
with:
node-version: '22'
- name: Install Codex
run: npm install -g @openai/codex
- name: Codex Review
env:
OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }}
run: |
codex exec --full-auto --sandbox read-only \
--output-last-message codex-review.md \
"Review this code for bugs, security issues, and quality problems"
- uses: actions/upload-artifact@v4
with:
name: codex-review
path: codex-review.mdcombine-reviews:
needs: [claude-review, codex-review]
runs-on: ubuntu-latest
steps:
- uses: actions/download-artifact@v4
- name: Combine Reviews
run: |
echo "## 🔍 Dual Code Review Results" > combined-review.md
echo "" >> combined-review.md
echo "### Claude Findings" >> combined-review.md
cat claude-review/claude-review.md >> combined-review.md
echo "" >> combined-review.md
echo "### Codex Findings" >> combined-review.md
cat codex-review/codex-review.md >> combined-review.md
- name: Post Combined Review
uses: actions/github-script@v7
with:
script: |
const fs = require('fs');
const review = fs.readFileSync('combined-review.md', 'utf8');
github.rest.issues.createComment({
owner: context.repo.owner,
repo: context.repo.repo,
issue_number: context.issue.number,
body: review
});undefinedGitHub Actions - Gemini Only
GitHub Actions - 仅使用Gemini
yaml
undefinedyaml
undefined.github/workflows/gemini-review.yml
.github/workflows/gemini-review.yml
name: Gemini Code Review
on:
pull_request:
types: [opened, synchronize]
jobs:
review:
runs-on: ubuntu-latest
permissions:
contents: read
pull-requests: write
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Setup Node.js
uses: actions/setup-node@v4
with:
node-version: '20'
- name: Install Gemini CLI
run: npm install -g @google/gemini-cli
- name: Run Review
env:
GEMINI_API_KEY: ${{ secrets.GEMINI_API_KEY }}
run: |
# Get diff
git diff origin/${{ github.base_ref }}...HEAD > diff.txt
# Run Gemini review
gemini -p "Review this pull request diff for bugs, security issues, and code quality problems. Be specific about file names and line numbers.
$(cat diff.txt)" > review.md
- name: Post Review Comment
uses: actions/github-script@v7
with:
script: |
const fs = require('fs');
const review = fs.readFileSync('review.md', 'utf8');
github.rest.issues.createComment({
owner: context.repo.owner,
repo: context.repo.repo,
issue_number: context.issue.number,
body: `## 🤖 Gemini Code Review\n\n${review}`
});
- name: Check for Critical Issues
run: |
if grep -qi "critical\|security vulnerability\|injection" review.md; then
echo "❌ Critical issues found"
exit 1
fiundefinedname: Gemini Code Review
on:
pull_request:
types: [opened, synchronize]
jobs:
review:
runs-on: ubuntu-latest
permissions:
contents: read
pull-requests: write
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Setup Node.js
uses: actions/setup-node@v4
with:
node-version: '20'
- name: Install Gemini CLI
run: npm install -g @google/gemini-cli
- name: Run Review
env:
GEMINI_API_KEY: ${{ secrets.GEMINI_API_KEY }}
run: |
# Get diff
git diff origin/${{ github.base_ref }}...HEAD > diff.txt
# Run Gemini review
gemini -p "Review this pull request diff for bugs, security issues, and code quality problems. Be specific about file names and line numbers.
$(cat diff.txt)" > review.md
- name: Post Review Comment
uses: actions/github-script@v7
with:
script: |
const fs = require('fs');
const review = fs.readFileSync('review.md', 'utf8');
github.rest.issues.createComment({
owner: context.repo.owner,
repo: context.repo.repo,
issue_number: context.issue.number,
body: `## 🤖 Gemini Code Review\n\n${review}`
});
- name: Check for Critical Issues
run: |
if grep -qi "critical\|security vulnerability\|injection" review.md; then
echo "❌ Critical issues found"
exit 1
fiundefinedGitHub Actions - All Three Engines
GitHub Actions - 三引擎模式
yaml
undefinedyaml
undefined.github/workflows/triple-review.yml
.github/workflows/triple-review.yml
name: Triple Engine Code Review
on:
pull_request:
jobs:
claude-review:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Claude Review
env:
ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}
run: |
npx @anthropic-ai/claude-code --print "/code-review" > claude-review.md
- uses: actions/upload-artifact@v4
with:
name: claude-review
path: claude-review.mdcodex-review:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- uses: actions/setup-node@v4
with:
node-version: '22'
- name: Install Codex
run: npm install -g @openai/codex
- name: Codex Review
env:
OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }}
run: |
codex exec --full-auto --sandbox read-only \
--output-last-message codex-review.md \
"Review this code for bugs, security issues, and quality problems"
- uses: actions/upload-artifact@v4
with:
name: codex-review
path: codex-review.mdgemini-review:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- uses: actions/setup-node@v4
with:
node-version: '20'
- name: Install Gemini CLI
run: npm install -g @google/gemini-cli
- name: Gemini Review
env:
GEMINI_API_KEY: ${{ secrets.GEMINI_API_KEY }}
run: |
git diff origin/${{ github.base_ref }}...HEAD > diff.txt
gemini -p "Review this code diff for bugs, security, and quality issues:
$(cat diff.txt)" > gemini-review.md
- uses: actions/upload-artifact@v4
with:
name: gemini-review
path: gemini-review.mdcombine-reviews:
needs: [claude-review, codex-review, gemini-review]
runs-on: ubuntu-latest
steps:
- uses: actions/download-artifact@v4
- name: Combine Reviews
run: |
echo "## 🔍 Triple Engine Code Review Results" > combined-review.md
echo "" >> combined-review.md
echo "### 🟣 Claude Findings" >> combined-review.md
cat claude-review/claude-review.md >> combined-review.md
echo "" >> combined-review.md
echo "---" >> combined-review.md
echo "### 🟢 Codex Findings" >> combined-review.md
cat codex-review/codex-review.md >> combined-review.md
echo "" >> combined-review.md
echo "---" >> combined-review.md
echo "### 🔵 Gemini Findings" >> combined-review.md
cat gemini-review/gemini-review.md >> combined-review.md
- name: Post Combined Review
uses: actions/github-script@v7
with:
script: |
const fs = require('fs');
const review = fs.readFileSync('combined-review.md', 'utf8');
github.rest.issues.createComment({
owner: context.repo.owner,
repo: context.repo.repo,
issue_number: context.issue.number,
body: review
});
- name: Check Critical Issues
run: |
# Fail if any engine found critical issues
if grep -qi "critical\|🔴" combined-review.md; then
echo "❌ Critical issues found by at least one engine"
exit 1
fi
---name: Triple Engine Code Review
on:
pull_request:
jobs:
claude-review:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Claude Review
env:
ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}
run: |
npx @anthropic-ai/claude-code --print "/code-review" > claude-review.md
- uses: actions/upload-artifact@v4
with:
name: claude-review
path: claude-review.mdcodex-review:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- uses: actions/setup-node@v4
with:
node-version: '22'
- name: Install Codex
run: npm install -g @openai/codex
- name: Codex Review
env:
OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }}
run: |
codex exec --full-auto --sandbox read-only \
--output-last-message codex-review.md \
"Review this code for bugs, security issues, and quality problems"
- uses: actions/upload-artifact@v4
with:
name: codex-review
path: codex-review.mdgemini-review:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- uses: actions/setup-node@v4
with:
node-version: '20'
- name: Install Gemini CLI
run: npm install -g @google/gemini-cli
- name: Gemini Review
env:
GEMINI_API_KEY: ${{ secrets.GEMINI_API_KEY }}
run: |
git diff origin/${{ github.base_ref }}...HEAD > diff.txt
gemini -p "Review this code diff for bugs, security, and quality issues:
$(cat diff.txt)" > gemini-review.md
- uses: actions/upload-artifact@v4
with:
name: gemini-review
path: gemini-review.mdcombine-reviews:
needs: [claude-review, codex-review, gemini-review]
runs-on: ubuntu-latest
steps:
- uses: actions/download-artifact@v4
- name: Combine Reviews
run: |
echo "## 🔍 Triple Engine Code Review Results" > combined-review.md
echo "" >> combined-review.md
echo "### 🟣 Claude Findings" >> combined-review.md
cat claude-review/claude-review.md >> combined-review.md
echo "" >> combined-review.md
echo "---" >> combined-review.md
echo "### 🟢 Codex Findings" >> combined-review.md
cat codex-review/codex-review.md >> combined-review.md
echo "" >> combined-review.md
echo "---" >> combined-review.md
echo "### 🔵 Gemini Findings" >> combined-review.md
cat gemini-review/gemini-review.md >> combined-review.md
- name: Post Combined Review
uses: actions/github-script@v7
with:
script: |
const fs = require('fs');
const review = fs.readFileSync('combined-review.md', 'utf8');
github.rest.issues.createComment({
owner: context.repo.owner,
repo: context.repo.repo,
issue_number: context.issue.number,
body: review
});
- name: Check Critical Issues
run: |
# Fail if any engine found critical issues
if grep -qi "critical\|🔴" combined-review.md; then
echo "❌ Critical issues found by at least one engine"
exit 1
fi
---Review Checklist
审查检查清单
Before Every Commit
每次提交前
- Run on staged changes
/code-review - No critical (🔴) issues
- No high (🟠) issues
- Security concerns addressed
- Performance issues considered
- 对暂存的更改运行
/code-review - 无严重(🔴)问题
- 无高优先级(🟠)问题
- 安全问题已解决
- 性能问题已考虑
Before Every PR
每次创建PR前
- Full code review of all changes
- All critical/high issues resolved
- Tests added for new functionality
- Documentation updated if needed
- 对所有更改进行全面代码审查
- 所有严重/高优先级问题已解决
- 为新功能添加了测试
- 必要时更新了文档
Before Every Deployment
每次部署前
- Final review of deployment diff
- Security scan passed
- No new vulnerabilities introduced
- Rollback plan documented
- 对部署差异进行最终审查
- 安全扫描已通过
- 未引入新漏洞
- 回滚计划已文档化
Common Review Findings
常见审查发现
Security Issues (Always Fix)
安全问题(必须修复)
| Issue | Example | Fix |
|---|---|---|
| SQL Injection | | Use parameterized queries |
| XSS | | Sanitize or use textContent |
| Secrets in code | | Use environment variables |
| Missing auth | Unprotected endpoints | Add authentication middleware |
| Insecure crypto | MD5/SHA1 for passwords | Use bcrypt/argon2 |
| 问题 | 示例 | 修复方案 |
|---|---|---|
| SQL注入 | | 使用参数化查询 |
| XSS攻击 | | 进行内容 sanitize 或使用 textContent |
| 代码中包含密钥 | | 使用环境变量 |
| 缺失认证 | 未受保护的接口 | 添加认证中间件 |
| 不安全的加密 | 用MD5/SHA1存储密码 | 使用bcrypt/argon2 |
Performance Issues (Should Fix)
性能问题(应该修复)
| Issue | Example | Fix |
|---|---|---|
| N+1 queries | Loop with individual queries | Use batch/eager loading |
| Memory leak | Unclosed connections | Use connection pooling |
| Missing index | Slow queries | Add database indexes |
| Large payload | Fetching unused fields | Select only needed fields |
| No pagination | Loading all records | Implement pagination |
| 问题 | 示例 | 修复方案 |
|---|---|---|
| N+1查询 | 循环中执行单个查询 | 使用批量查询/预加载 |
| 内存泄漏 | 未关闭的连接 | 使用连接池 |
| 缺失索引 | 查询缓慢 | 添加数据库索引 |
| 过大的响应 payload | 获取未使用的字段 | 仅选择需要的字段 |
| 无分页 | 加载所有记录 | 实现分页功能 |
Code Quality (Nice to Fix)
代码质量问题(建议修复)
| Issue | Example | Fix |
|---|---|---|
| Long function | 100+ lines | Extract into smaller functions |
| Deep nesting | 5+ levels | Early returns, extract methods |
| Magic numbers | | Use named constants |
| Duplicate code | Copy-pasted blocks | Extract shared function |
| Missing types | | Add proper TypeScript types |
| 问题 | 示例 | 修复方案 |
|---|---|---|
| 过长函数 | 超过100行 | 拆分为更小的函数 |
| 深层嵌套 | 超过5层嵌套 | 提前返回、提取方法 |
| 魔法数字 | | 使用命名常量 |
| 重复代码 | 复制粘贴的代码块 | 提取为共享函数 |
| 缺失类型 | 大量使用 | 添加正确的TypeScript类型 |
Integration with TDD Workflow
与TDD工作流集成
┌─────────────────────────────────────────────────────────────────┐
│ TDD + CODE REVIEW WORKFLOW │
│ ───────────────────────────────────────────────────────────── │
│ │
│ 1. RED: Write failing tests │
│ 2. GREEN: Write code to pass tests │
│ 3. REFACTOR: Clean up code │
│ 4. REVIEW: Run /code-review ← NEW STEP │
│ 5. FIX: Address critical/high issues │
│ 6. VALIDATE: Lint + TypeCheck + Coverage │
│ 7. COMMIT: Only after review passes │
│ │
│ Review catches what tests miss: │
│ - Security vulnerabilities │
│ - Performance issues │
│ - Architecture problems │
│ - Code maintainability │
└─────────────────────────────────────────────────────────────────┘┌─────────────────────────────────────────────────────────────────┐
│ TDD + CODE REVIEW WORKFLOW │
│ ───────────────────────────────────────────────────────────── │
│ │
│ 1. RED: Write failing tests │
│ 2. GREEN: Write code to pass tests │
│ 3. REFACTOR: Clean up code │
│ 4. REVIEW: Run /code-review ← NEW STEP │
│ 5. FIX: Address critical/high issues │
│ 6. VALIDATE: Lint + TypeCheck + Coverage │
│ 7. COMMIT: Only after review passes │
│ │
│ Review catches what tests miss: │
│ - Security vulnerabilities │
│ - Performance issues │
│ - Architecture problems │
│ - Code maintainability │
└─────────────────────────────────────────────────────────────────┘Review Response Template
审查结果响应模板
When code review finds issues, respond with:
markdown
undefined当代码审查发现问题时,使用以下模板回复:
markdown
undefinedCode Review Results
代码审查结果
🔴 Critical Issues (Must Fix)
🔴 严重问题(必须修复)
- SQL Injection in userController.ts:45
- Issue: User input directly interpolated into query
- Fix: Use parameterized query
- Code:
db.query('SELECT * FROM users WHERE id = $1', [userId])
- userController.ts:45存在SQL注入风险
- 问题:用户输入直接拼接到查询语句中
- 修复方案:使用参数化查询
- 示例代码:
db.query('SELECT * FROM users WHERE id = $1', [userId])
🟠 High Issues (Should Fix)
🟠 高优先级问题(应该修复)
- Missing authentication on /api/admin endpoints
- Issue: Admin routes accessible without auth
- Fix: Add auth middleware
- /api/admin接口缺失认证
- 问题:管理员路由无需认证即可访问
- 修复方案:添加认证中间件
🟡 Medium Issues (Fix Soon)
🟡 中优先级问题(尽快修复)
- N+1 query in getOrders function
- Consider eager loading or batch query
- getOrders函数存在N+1查询
- 建议使用预加载或批量查询
🟢 Low Issues (Nice to Have)
🟢 低优先级问题(可选优化)
- Consider extracting validation logic to separate file
- 建议将验证逻辑提取到单独文件
✅ Strengths
✅ 优点
- Good test coverage
- Clear function names
- Proper error handling
- 测试覆盖率良好
- 函数命名清晰
- 错误处理得当
📊 Summary
📊 总结
- Critical: 1 | High: 1 | Medium: 1 | Low: 1
- Status: ❌ BLOCKED - Fix critical/high issues before commit
---- 严重:1 | 高优先级:1 | 中优先级:1 | 低优先级:1
- 状态:❌ 阻塞 - 修复严重/高优先级问题后再提交
---Claude Instructions
Claude使用指引
When to Invoke Code Review
何时触发代码审查
Claude should automatically suggest or run code review:
- After completing a feature → "Let me run a code review before we commit"
- Before creating a PR → "Running code review on all changes"
- When user says "commit" → "First, let me review the changes"
- After fixing bugs → "Reviewing the fix for any issues"
Claude应自动建议或运行代码审查:
- 完成功能开发后 → "让我在提交前运行代码审查"
- 创建PR前 → "正在对所有更改进行代码审查"
- 用户说“提交”时 → "首先,让我审查一下更改"
- 修复bug后 → "正在审查修复内容是否存在问题"
Review Focus Areas
审查重点
Prioritize review based on change type:
| Change Type | Focus Areas |
|---|---|
| Auth/Security code | Security, input validation, crypto |
| Database code | SQL injection, N+1, transactions |
| API endpoints | Auth, rate limiting, validation |
| Frontend code | XSS, state management, performance |
| Infrastructure | Secrets, permissions, logging |
根据更改类型确定审查优先级:
| 更改类型 | 审查重点 |
|---|---|
| 认证/安全代码 | 安全、输入验证、加密 |
| 数据库代码 | SQL注入、N+1查询、事务 |
| API接口 | 认证、速率限制、验证 |
| 前端代码 | XSS、状态管理、性能 |
| 基础设施代码 | 密钥、权限、日志 |
Quick Reference
快速参考
Commands
命令
bash
undefinedbash
undefinedBasic review
基础审查
/code-review
/code-review
Review specific files
审查特定文件
/code-review src/auth.ts src/users.ts
/code-review src/auth.ts src/users.ts
Review with focus
聚焦特定维度审查
/code-review --focus security
/code-review --focus security
Review PR
审查PR
/code-review --pr 123
undefined/code-review --pr 123
undefinedSeverity Actions
严重级别处理规则
🔴 Critical → STOP. Fix now. No commit.
🟠 High → STOP. Fix now. No commit.
🟡 Medium → Note it. Fix soon. Can commit.
🟢 Low → Optional. Nice to have.
ℹ️ Info → FYI only.🔴 严重 → 停止工作,立即修复,禁止提交。
🟠 高优先级 → 停止工作,立即修复,禁止提交。
🟡 中优先级 → 记录问题,尽快修复,允许提交。
🟢 低优先级 → 可选优化,按需修复。
ℹ️ 信息 → 仅作参考。Workflow
工作流
Code → Test → Review → Fix → Commit → Push → PR → Review → Merge → Deploy
↑ ↑ ↑
/code-review /code-review /code-review编码 → 测试 → 审查 → 修复 → 提交 → 推送 → 创建PR → 审查 → 合并 → 部署
↑ ↑ ↑
/code-review /code-review /code-review