Complete Guide to AI Code Review in GitHub Actions
GitHub Actions is the most popular CI platform for open-source and many enterprise teams. Merlin AI Code Review integrates seamlessly as a workflow step — no custom Actions, no marketplace dependencies, just a binary download and run. This guide covers everything from basic setup to advanced production workflows.
Basic setup (2 minutes)
on:pull_request:types: [opened, synchronize]jobs:merlin-review:runs-on: ubuntu-latestpermissions:pull-requests: writesteps:- uses: actions/checkout@v4with:fetch-depth: 0- run: |curl -L https://github.com/Arunachalamkalimuthu/merlin-ai-code-review/releases/latest/download/merlin-linux-amd64 -o merlinchmod +x merlin && ./merlin reviewenv:GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}
Set ANTHROPIC_API_KEY in your repository secrets (Settings → Secrets and variables → Actions). GITHUB_TOKEN is provided automatically.
Adding security scanning
Run a dedicated security pass alongside the standard review:
- run: |./merlin review./merlin run /securityenv:GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}
Multi-step workflow with describe and labels
on:pull_request:types: [opened, synchronize, reopened]jobs:merlin:runs-on: ubuntu-latestpermissions:pull-requests: writeissues: write # needed for label creationsteps:- uses: actions/checkout@v4with:fetch-depth: 0- name: Download Merlin AI Code Reviewrun: |curl -L https://github.com/Arunachalamkalimuthu/merlin-ai-code-review/releases/latest/download/merlin-linux-amd64 -o merlinchmod +x merlin- name: AI Reviewrun: ./merlin reviewenv:GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}- name: Security Scanrun: ./merlin run /securityenv:GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}- name: Generate Labelsrun: ./merlin run /generate_labelsenv:GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}
Webhook bot mode (enable PR comment commands)
Allow PR commenters to trigger commands like @merlin /review by running Merlin in webhook mode:
on:issue_comment:types: [created]jobs:merlin-bot:if: github.event.issue.pull_request != nullruns-on: ubuntu-latestpermissions:pull-requests: writesteps:- uses: actions/checkout@v4- run: |curl -L https://github.com/Arunachalamkalimuthu/merlin-ai-code-review/releases/latest/download/merlin-linux-amd64 -o merlinchmod +x merlin && ./merlin webhookenv:GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}FERRET_GITHUB_SECRET: ${{ secrets.FERRET_GITHUB_SECRET }}
Caching the binary
Cache the Merlin AI Code Review binary across workflow runs to save ~5 seconds on each run:
- name: Cache Merlin AI Code Review binaryuses: actions/cache@v4with:path: merlinkey: merlin-${{ runner.os }}-latest- name: Download Merlin AI Code Review (if not cached)run: |if [ ! -f merlin ]; thencurl -L https://github.com/Arunachalamkalimuthu/merlin-ai-code-review/releases/latest/download/merlin-linux-amd64 -o merlinchmod +x merlinfi
Using a custom config
Add merlin.toml to your repo root to customize review behavior without touching the workflow:
[ai]provider = "anthropic"model = "claude-sonnet-4-6"[review]focus = ["bugs", "security", "performance"]max_comments = 20reflect = true