CLI workflow

Use a CLI for Reviewing GitHub Pull Requests

Collect PR metadata, inspect the patch locally, and report blockers before posting or merging anything.

Code collaborationRead only

Prepare tools, authentication, and evidence first

Install the recommended tools, confirm minimum permissions, and keep compatibility separate from real execution records.

ghverified
Review pull requests, triage issues, inspect Actions, and manage releases with GitHub's official CLI.

Recommended install

$ shell
brew install gh
Authentication
OAuth, personal access token, GitHub Actions token
Tested agents
No agent-specific execution record
Evidence status
verified · Documentation checked 2026-07-10
Independent CLI execution
2.86.0 · 2 checks
rgverified
Search source trees quickly with stable JSON, glob, type, and context controls.

Recommended install

$ shell
brew install ripgrep
Authentication
No authentication for the base operation
Tested agents
No agent-specific execution record
Evidence status
verified · Documentation checked 2026-07-10
Independent CLI execution
15.1.0 · 4 checks
jqverified
Parse, filter, validate, and transform JSON locally with deterministic output.

Recommended install

$ shell
brew install jq
Authentication
No authentication for the base operation
Tested agents
No agent-specific execution record
Evidence status
verified · Documentation checked 2026-07-10
Independent CLI execution
jq-1.7.1-apple · 4 checks

Copy or download this workflow Skill

The Skill includes input and output contracts, recommended tools, approval points, rollback, and evidence boundaries. Review it against the active environment before saving.

review-github-prs-SKILL.md
---
name: review-github-prs-workflow
description: "Collect PR metadata, inspect the patch locally, and report blockers before posting or merging anything."
---

# Review GitHub pull requests

## Intended outcome

Produce an evidence-backed review that separates findings from repository-changing actions.

## Evidence boundary

- Tool status distinguishes `docs-verified` material from independent execution; the two are not interchangeable.
- The current registry does not attribute a tool execution to a particular agent, so compatible agents cannot be called tested agents.
- Reconfirm the target account, environment, version, and official documentation before execution.
- Never auto-execute an R2, R3, or confirmation-marked step; obtain explicit approval immediately before it runs.

## Recommended tools, installation, and authentication

- **GitHub CLI** (evidence: `verified`, docs checked: `2026-07-10`, independently tested version 2.86.0 recorded)
  - Install: `brew install gh`
  - Authentication: OAuth, personal access token, GitHub Actions token
  - Minimum permissions: Use a read-only or fine-grained token limited to the required repositories.
- **ripgrep** (evidence: `verified`, docs checked: `2026-07-10`, independently tested version 15.1.0 recorded)
  - Install: `brew install ripgrep`
  - Authentication: not required for the base operation
  - Minimum permissions: No service credential is required; restrict filesystem and network access to the task.
- **jq** (evidence: `verified`, docs checked: `2026-07-10`, independently tested version jq-1.7.1-apple recorded)
  - Install: `brew install jq`
  - Authentication: not required for the base operation
  - Minimum permissions: No service credential is required; restrict filesystem and network access to the task.

## Input contract

- Repository name
- pull request number
- local checkout or patch
- read-scoped GitHub identity

## Output contract

- PR summary
- check status
- actionable findings
- recommended next action

## Safe workflow

1. **Read PR state** — Fetch title, author, files, reviews, and checks as JSON.
   - Input: Repository and PR number
   - Output: Machine-readable PR context
   - Risk: `read-only`
   - Command: `gh pr view 123 --json number,title,author,files,reviews,statusCheckRollup,url`
2. **Inspect the patch** — Read the diff and search affected code paths for assumptions and callers.
   - Input: PR diff and repository
   - Output: Line-specific review notes
   - Risk: `read-only`
   - Command: `gh pr diff 123 && rg "affectedSymbol" src`
3. **Report before writing** — Summarize blockers, confidence, and checks; keep comments, approvals, and merge as separate proposed actions.
   - Input: Review notes and CI status
   - Output: Review report and optional write commands
   - Risk: `read-only`

## Ask before proceeding

- Posting review comments
- Submitting approve or request-changes state
- Merging or closing the pull request

## Rollback

- Edit or delete an incorrect comment when permitted
- Revert a merge with a new commit instead of rewriting shared history
- Preserve the review report for audit

## Official sources

- [GitHub CLI manual](https://cli.github.com/manual/) — Official command, authentication, JSON field, and workflow documentation.
- [GitHub REST API documentation](https://docs.github.com/en/rest) — Official HTTP API and authentication reference for GitHub resources.

Outcome, inputs, and outputs

Define the result and evidence before the agent selects a command.

Goal

Produce an evidence-backed review that separates findings from repository-changing actions.

Required inputs

  • Repository name
  • pull request number
  • local checkout or patch
  • read-scoped GitHub identity

Expected outputs

  • PR summary
  • check status
  • actionable findings
  • recommended next action

Use a CLI for Reviewing GitHub Pull Requests: safe workflow

Run each step inside its stated boundary and verify the output before continuing.

Step 1Read only

Read PR state

Fetch title, author, files, reviews, and checks as JSON.
Input
Repository and PR number
Output
Machine-readable PR context
$ Read PR state
gh pr view 123 --json number,title,author,files,reviews,statusCheckRollup,url
Step 2Read only

Inspect the patch

Read the diff and search affected code paths for assumptions and callers.
Input
PR diff and repository
Output
Line-specific review notes
$ Inspect the patch
gh pr diff 123 && rg "affectedSymbol" src
Step 3Read only

Report before writing

Summarize blockers, confidence, and checks; keep comments, approvals, and merge as separate proposed actions.
Input
Review notes and CI status
Output
Review report and optional write commands

Approval points and rollback

Pause at the listed decision points and keep recovery instructions beside the action.

Ask before these actions

  • Posting review comments
  • Submitting approve or request-changes state
  • Merging or closing the pull request

Recovery plan

  • Edit or delete an incorrect comment when permitted
  • Revert a merge with a new commit instead of rewriting shared history
  • Preserve the review report for audit

CLI, MCP, or API?

Choose the interface by execution location, identity, output contract, and permission boundary.

CLI

Strong for local repository context, diffs, checks, and JSON output in developer workflows.

MCP

Useful when an organization wants typed GitHub actions and centralized credential policy.

API

Best for custom review services, batching, or fields the CLI does not expose conveniently.

Recommended approach

Use GitHub CLI for read-first review and gate every public comment or merge action.

Official evidence and references

Use these primary or upstream sources to verify current command behavior before acting.

GitHub CLI manual

Official command, authentication, JSON field, and workflow documentation.

GitHub REST API documentation

Official HTTP API and authentication reference for GitHub resources.

Questions before you run it

Can a review stay completely read-only?

Yes. Listing, viewing, diffing, and inspecting checks do not require posting a review.

Should an agent merge after checks pass?

No. Passing checks are evidence, not approval to merge; repository policy and explicit user intent still apply.

Related tools and guides

Browse sibling guides and choose the next page that best matches the active task.

Continue with tool evidence, a workflow, or a decision guide related to this task.

Continue with tool evidence, a workflow, or a decision guide related to this task.

Continue with tool evidence, a workflow, or a decision guide related to this task.

Inspect installation, authentication, structured output, command risk, and official evidence.

Inspect installation, authentication, structured output, command risk, and official evidence.