Integrating AI Code Review into Your CI/CD Pipeline
A well-designed CI/CD pipeline is the quality backbone of modern software delivery. Adding Merlin AI Code Review to that pipeline transforms it from a mechanical check system into an intelligent quality gate — one that catches semantic bugs, security issues, and architectural problems that linters and tests miss.
Where Merlin AI Code Review fits in the pipeline
Merlin AI Code Review runs as a CI job triggered on pull request events. It sits logically after linting and format checks (which are fast and cheap) but before or alongside test execution (which is slow and compute-intensive). The typical pipeline stage order:
- Fast checks — lint, format, type-check (seconds)
- Merlin AI Code Review — runs in parallel with tests (30–60 seconds)
- Tests — unit, integration, e2e (minutes)
- Build — compilation, bundling (minutes)
- Deploy — staging or production
Parallel review and test execution
on:pull_request:types: [opened, synchronize]jobs:lint:runs-on: ubuntu-lateststeps:- uses: actions/checkout@v4- run: npm run lintai-review:runs-on: ubuntu-latestpermissions:pull-requests: writesteps:- uses: actions/checkout@v4with:fetch-depth: 0- run: |curl -L https://github.com/Arunachalamkalimuthu/merlin-ai-code-review/releases/latest/download/merlin-linux-amd64 -o merlinchmod +x merlin && ./merlin review && ./merlin run /securityenv:GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}tests:runs-on: ubuntu-lateststeps:- uses: actions/checkout@v4- run: npm testbuild:needs: [lint, tests]runs-on: ubuntu-lateststeps:- uses: actions/checkout@v4- run: npm run build
Running ai-review in parallel with tests means no additional wall-clock time is added to the pipeline — the review completes while tests run.
Making AI review a required check
In GitHub, you can require the ai-review job to pass before merging. Navigate to Settings → Branches → Branch protection rules → Require status checks to pass. Add the ai-review job name as a required check.
Note: Merlin AI Code Review's review job always exits 0 (success) — it posts comments but doesn't block the pipeline by default. To enforce blocking on critical findings, use merlin run /approve and configure it to exit non-zero on critical issues.
Conditional security scanning
Run the security scan only on PRs targeting protected branches (main, release/*):
ai-security:runs-on: ubuntu-latestif: github.base_ref == 'main' || startsWith(github.base_ref, 'release/')permissions:pull-requests: writesteps:- uses: actions/checkout@v4with:fetch-depth: 0- run: |curl -L https://github.com/Arunachalamkalimuthu/merlin-ai-code-review/releases/latest/download/merlin-linux-amd64 -o merlinchmod +x merlin && ./merlin run /securityenv:GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}
Azure DevOps integration
trigger: nonepr:branches:include: ["main", "release/*"]pool:vmImage: ubuntu-lateststeps:- script: |curl -L https://github.com/Arunachalamkalimuthu/merlin-ai-code-review/releases/latest/download/merlin-linux-amd64 -o merlinchmod +x merlin && ./merlin reviewenv:AZURE_DEVOPS_TOKEN: $(System.AccessToken)ANTHROPIC_API_KEY: $(ANTHROPIC_API_KEY)SYSTEM_ACCESSTOKEN: $(System.AccessToken)