Safety hub · Updated June 22, 2026
AI PR Review Workflow Safety: GitHub Actions, Tokens, and Approval Gates
Short answer
An AI PR review workflow should start as a read-only review routine. Inspect the GitHub source, event trigger, token permissions, secrets exposure, shell steps, PR comment behavior, and approval gates before letting it run on real repositories. Avoid write-all tokens, unpinned third-party actions, PR-controlled shell input, and automatic comments, pushes, labels, merges, or deployments until a human approves the output.
Use this hub before adopting an AI PR review workflow from GitHub. The highest-risk patterns are not the model call itself, but the workflow trigger, token scope, shell input, secrets exposure, and whether generated output can write back to the repository.
Who this is for
- Developers evaluating Codex, Claude Code, or opencode PR review workflows.
- Maintainers adding AI review steps to GitHub Actions.
- Security reviewers checking token, secret, shell, and PR comment risk before adoption.
What can go wrong
AI PR review workflows combine untrusted pull request text with repository permissions. The dangerous part is when generated output can run shell commands, expose secrets, or write back to GitHub before a human reviews it.
Minimum safe GitHub Actions baseline
- Default to read-only diff and CI log analysis.
- Set explicit least-privilege GitHub token permissions instead of write-all token permissions.
- Pin third-party actions and review every shell step.
- Keep secrets unavailable to untrusted pull request contexts.
- Generate a report first; require human approval before comments, commits, labels, merges, releases, deploys, or file writes.
Unsafe patterns to avoid
- pull_request_target jobs that read or execute PR-controlled content without isolation.
- write-all token permissions for workflows that only need read-only review.
- unpinned third-party actions in privileged PR review workflows.
- PR-controlled shell input from branch names, comments, file paths, commit messages, issue text, or diffs.
- secrets exposure to forked pull requests, logs, prompts, or generated reports.
- automatic comments, pushes, labels, merges, releases, deploys, or file writes without human approval.
- prompt injection from code, comments, branch names, issues, or CI logs becoming instructions for the model.
Checklist
- GitHub Actions event triggers, especially pull_request_target and fork behavior.
- Token permissions, write-all defaults, and whether the workflow can comment, label, push, merge, release, or deploy.
- Shell steps that receive branch names, comments, commit messages, file paths, diffs, issue text, or other PR-controlled input.
- Third-party actions, action pinning, secrets access, generated comments, and where a human must approve output.
How to use with Codex, Claude Code, opencode, and OpenClaw
- Use Codex for local read-only diff review and Markdown handoff before wiring GitHub writes.
- Use Claude Code to inspect GitHub Action triggers, comments, and workflow command boundaries.
- Use opencode for terminal-visible PR review experiments on disposable branches.
- Use OpenClaw only after approval gates and rollback notes are explicit for long-running sessions.
Reviewed workflows
openai/codex · High evidence coverage Claude Code Action Code Review Source Pattern
anthropics/claude-code-action · High evidence coverage Super-Linter Code Review Source Pattern
github/super-linter · Medium evidence coverage reviewdog Code Review Source Pattern
reviewdog/reviewdog · Medium evidence coverage GitHub Actions Starter Workflows Code Review Source Pattern
actions/starter-workflows · Medium evidence coverage
Related guides
FAQ
What is the safest default for an AI PR review workflow?
Start read-only. Let the workflow inspect a diff or CI log and produce a report, but keep comments, commits, labels, merges, deploys, and file writes behind human approval.
Should AI PR review workflows use pull_request_target?
Only with extreme care. Treat pull_request_target, secrets, and write-capable tokens as high-risk because untrusted pull request content can influence workflow behavior.
What should I inspect before running a GitHub Action based reviewer?
Inspect event triggers, permissions, third-party action pinning, shell steps, secret access, generated comments, and whether the workflow can write to the repository.
Suggest a public repo for discovery
Send only public GitHub repository URLs. Do not send private code, secrets, tokens, customer data, or proprietary files. Suggestions enter the automated discovery queue. Publication is not guaranteed. Evidence coverage is not a safety certification.
Related questions
- How do I safely run an AI PR review workflow?
- What should I check before installing an AI PR review GitHub Action?
- Which GitHub Actions permissions are risky for AI code review?
Common search phrases
AI PR review workflow safety, GitHub Actions AI review risk, pull_request_target AI review, GitHub token permissions PR review, AI code review approval gates