Skip to main content

View Example Plugin

Check out the complete PR review plugin with ready-to-use code and configuration.
Automated code review helps maintain code quality, catch bugs early, and enforce coding standards consistently across your team. OpenHands provides a GitHub Actions workflow powered by the Software Agent SDK that automatically reviews pull requests and posts inline comments directly on your PRs.

Overview

The OpenHands PR Review workflow is a GitHub Actions workflow that:
  • Triggers automatically when PRs are opened or when you request a review
  • Analyzes code changes in the context of your entire repository
  • Posts inline comments directly on specific lines of code in the PR
  • Provides fast feedback - typically within 2-3 minutes

How It Works

The PR review workflow uses the OpenHands Software Agent SDK to analyze your code changes:
  1. Trigger: The workflow runs when:
    • A new non-draft PR is opened
    • A draft PR is marked as ready for review
    • The review-this label is added to a PR
    • openhands-agent is requested as a reviewer
  2. Analysis: The agent receives the complete PR diff and uses two skills:
    • /codereview: Analyzes code for quality, security, data structures, and best practices with a focus on simplicity and pragmatism
    • /github-pr-review: Posts structured inline comments via the GitHub API
  3. Output: Review comments are posted directly on the PR with:
    • Priority labels (🔴 Critical, 🟠 Important, 🟡 Suggestion, 🟢 Nit)
    • Specific line references
    • Actionable suggestions with code examples

Quick Start

1

Copy the workflow file

Create .github/workflows/pr-review-by-openhands.yml in your repository:
2

Add your LLM API key

Go to your repository’s Settings → Secrets and variables → Actions and add:
3

Create the review label

Create a review-this label in your repository:
  1. Go to Issues → Labels
  2. Click New label
  3. Name: review-this
  4. Description: Trigger OpenHands PR review
4

Trigger a review

Open a PR and either:
  • Add the review-this label, OR
  • Request openhands-agent as a reviewer

Composite Action

Action Path Updated: The PR review action has moved to the extensions repository. If your workflow still references the old path, update it:
  • Old: OpenHands/software-agent-sdk/.github/actions/pr-review@main
  • New: OpenHands/extensions/plugins/pr-review@main
The workflow uses a reusable composite action that handles all the setup automatically:
  • Checking out the extensions repository at the specified version
  • Setting up Python and dependencies
  • Running the PR review agent (from extensions repo)
  • Uploading logs as artifacts

Action Inputs

Use extensions-version to pin to a specific version tag (e.g., v1.0.0) for production stability, or use main to always get the latest features. The extensions repository contains the PR review plugin scripts.

Experimental: ACP Review Backend

The PR review action can run through an ACP-compatible agent server by setting agent-kind: acp. In this mode, OpenHands still loads the review skills and plugin prompt context, but the ACP server owns model access, authentication, and tool execution. Use ACP mode when your runner already has an authenticated ACP CLI available. The action does not install ACP CLIs for you; install and authenticate the ACP server in workflow steps before invoking the PR review action.
ACP mode is experimental. Use it on trusted self-hosted runners where you control the installed ACP command and the authentication material. Do not expose subscription credentials to workflows that run untrusted pull request code.

Codex ACP Example

To use Codex ACP, first install the Codex CLI and complete device-code login on a trusted machine:
Then create a base64-encoded secret from the generated auth file:
Store the printed value as a repository or organization secret named CODEX_AUTH_JSON_B64. The workflow can then restore that file on a self-hosted runner, start Codex ACP with npx, and run the review:

Customization

Repository-Specific Review Guidelines

Add repo-specific review rules by creating a skill file at .agents/skills/custom-codereview-guide.md:
Do not name your skill code-review. The pr-review plugin ships its own code-review skill, and plugin skills override project skills with the same name. Use a different name (e.g. custom-codereview-guide) with the /codereview trigger so both skills are active — the plugin provides the review framework while your skill adds repo-specific rules.
The skill file must use /codereview as the trigger so it activates alongside the default review behavior. See the software-agent-sdk’s own custom-codereview-guide for a complete example.

Workflow Configuration

Customize the workflow by modifying the action inputs:

Trigger Customization

Modify when reviews are triggered by editing the workflow conditions:

Security Considerations

The workflow uses pull_request_target so the code review agent can work properly for PRs from forks. Only users with write access can trigger reviews via labels or reviewer requests.
Potential Risk: A malicious contributor could submit a PR from a fork containing code designed to exfiltrate your LLM_API_KEY when the review agent analyzes their code.To mitigate this, the PR review workflow passes API keys as SDK secrets rather than environment variables, which prevents the agent from directly accessing these credentials during code execution.

Example Reviews

See real automated reviews in action on the OpenHands Software Agent SDK repository:

Troubleshooting

  • Ensure the LLM_API_KEY secret is set correctly
  • Check that the label name matches exactly (review-this)
  • Verify the workflow file is in .github/workflows/
  • Check the Actions tab for workflow run errors
  • Ensure GITHUB_TOKEN has pull-requests: write permission
  • Check the workflow logs for API errors
  • Verify the PR is not from a fork with restricted permissions
  • Large PRs may take longer to analyze
  • Consider splitting large PRs into smaller ones
  • Check if the LLM API is experiencing delays

Automate This

You can schedule daily code reviews using OpenHands Automations. Copy this prompt into a new conversation to set one up:
For inline review comments on every push, use the pr-review plugin as a GitHub Action instead.