GitHub ActionsCI/CDTutorial
Merlin AI Code ReviewComplete Guide to AI Code Review in GitHub Actions
February 20, 2025·10 min read·Merlin AI Code Review Team
GitHub Actions is the most popular CI platform for open-source and many enterprise teams. Merlin AI Code Review integrates seamlessly as a workflow step — no custom Actions, no marketplace dependencies, just a binary download and run. This guide covers everything from basic setup to advanced production workflows.
Basic setup (2 minutes)
.github/workflows/merlin-review.yml
yamlon:pull_request:types: [opened, synchronize]jobs:merlin-review:runs-on: ubuntu-latestpermissions:pull-requests: writesteps:- uses: actions/checkout@v4with:fetch-depth: 0- run: |curl -L https://github.com/Arunachalamkalimuthu/merlin-ai-code-review/releases/latest/download/merlin-linux-amd64 -o merlinchmod +x merlin && ./merlin reviewenv:GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}
Set ANTHROPIC_API_KEY in your repository secrets (Settings → Secrets and variables → Actions). GITHUB_TOKEN is provided automatically.
Adding security scanning
Run a dedicated security pass alongside the standard review:
yaml
- run: |./merlin review./merlin run /securityenv:GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}
Multi-step workflow with describe and labels
.github/workflows/merlin-full.yml
yamlon:pull_request:types: [opened, synchronize, reopened]jobs:merlin:runs-on: ubuntu-latestpermissions:pull-requests: writeissues: write # needed for label creationsteps:- uses: actions/checkout@v4with:fetch-depth: 0- name: Download Merlin AI Code Reviewrun: |curl -L https://github.com/Arunachalamkalimuthu/merlin-ai-code-review/releases/latest/download/merlin-linux-amd64 -o merlinchmod +x merlin- name: AI Reviewrun: ./merlin reviewenv:GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}- name: Security Scanrun: ./merlin run /securityenv:GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}- name: Generate Labelsrun: ./merlin run /generate_labelsenv:GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}
Webhook bot mode (enable PR comment commands)
Allow PR commenters to trigger commands like @merlin /review by running Merlin in webhook mode:
.github/workflows/merlin-bot.yml
yamlon:issue_comment:types: [created]jobs:merlin-bot:if: github.event.issue.pull_request != nullruns-on: ubuntu-latestpermissions:pull-requests: writesteps:- uses: actions/checkout@v4- run: |curl -L https://github.com/Arunachalamkalimuthu/merlin-ai-code-review/releases/latest/download/merlin-linux-amd64 -o merlinchmod +x merlin && ./merlin webhookenv:GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}FERRET_GITHUB_SECRET: ${{ secrets.FERRET_GITHUB_SECRET }}
Caching the binary
Cache the Merlin AI Code Review binary across workflow runs to save ~5 seconds on each run:
yaml
- name: Cache Merlin AI Code Review binaryuses: actions/cache@v4with:path: merlinkey: merlin-${{ runner.os }}-latest- name: Download Merlin AI Code Review (if not cached)run: |if [ ! -f merlin ]; thencurl -L https://github.com/Arunachalamkalimuthu/merlin-ai-code-review/releases/latest/download/merlin-linux-amd64 -o merlinchmod +x merlinfi
Using a custom config
Add merlin.toml to your repo root to customize review behavior without touching the workflow:
merlin.toml
toml[ai]provider = "anthropic"model = "claude-sonnet-4-6"[review]focus = ["bugs", "security", "performance"]max_comments = 20reflect = true
Related articles
TutorialGetting Started
Ship Better Code in 5 Minutes with Merlin AI Code Review
January 29, 20256 min read
CommandsTutorial
Deep Dive: Merlin AI Code Review's 19 Slash Commands and When to Use Each
March 14, 202510 min read
CI/CDDevOps
Integrating AI Code Review into Your CI/CD Pipeline
March 4, 20259 min read