AgentSkillsCN

Pr Review Comments

PR评审意见

SKILL.md

Skill: Address GitHub PR Review Comments

Purpose

Address all automated review comments on pull requests, including GitHub Copilot suggestions, GitHub Advanced Security (CodeQL) findings, and Dependabot alerts.

Trigger

Run this skill whenever:

  • A PR has open review comments from bots (Copilot, CodeQL, Dependabot)
  • Before merging any PR
  • After pushing new commits to a PR

Workflow

1. Gather All Comments

bash
# Get inline review comments (Copilot, CodeQL, security bots)
gh api repos/{owner}/{repo}/pulls/{pr}/comments \
  --jq '.[] | {user: .user.login, path: .path, line: .line, body: .body}'

# Get PR reviews
gh pr view {pr} --json reviews \
  --jq '.reviews[] | {author: .author.login, state: .state, body: .body}'

# Get code scanning alerts
gh api repos/{owner}/{repo}/code-scanning/alerts \
  --jq '.[] | select(.state == "open") | {number: .number, rule: .rule.id, description: .rule.description, file: .most_recent_instance.location.path, line: .most_recent_instance.location.start_line}'

2. Categorize and Prioritize

Priority 1 — Security (must fix before merge):

  • Hard-coded secrets/passwords/keys
  • Missing permissions blocks
  • SQL injection, XSS, command injection
  • Dependency vulnerabilities (Dependabot)

Priority 2 — Correctness (should fix):

  • Logic errors flagged by Copilot
  • Race conditions
  • Error handling gaps

Priority 3 — Style (fix if trivial):

  • Naming conventions
  • Code organization suggestions
  • Documentation gaps

3. Fix Each Issue

For each comment:

  1. Read the flagged code in context
  2. Understand the concern
  3. Apply the fix
  4. Verify with cargo check / cargo test / relevant test suite
  5. Run cargo fmt after all fixes

4. Commit and Verify

bash
# Stage fixes
git add <fixed-files>

# Commit with clear message referencing the alerts
git commit -m "fix: address security/review findings

- <list each fix>

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>"

# Push and verify CI passes
git push

5. Verify Alerts Resolved

bash
# Check code scanning alerts cleared
gh api repos/{owner}/{repo}/code-scanning/alerts \
  --jq '.[] | select(.state == "open") | .number'

# Check PR review status
gh pr checks {pr}

Common Patterns

CodeQL: Hard-coded cryptographic values

Replace with runtime-generated values:

rust
// BAD: let secret = "default-secret";
// GOOD: let secret = generate_random_secret();

CodeQL: Missing workflow permissions

Add minimal permissions at workflow level:

yaml
permissions:
  contents: read

Copilot: Unused variables

Remove or prefix with underscore.

Copilot: Error handling

Add proper error propagation instead of unwrap().

Notes

  • Always run full test suite after applying fixes
  • Security fixes take priority over feature work
  • If a Copilot suggestion would change behavior, evaluate carefully before applying
  • For false positives, dismiss the review with a clear explanation