Skill: Address GitHub PR Review Comments
Purpose
Address all automated review comments on pull requests, including GitHub Copilot suggestions, GitHub Advanced Security (CodeQL) findings, and Dependabot alerts.
Trigger
Run this skill whenever:
- •A PR has open review comments from bots (Copilot, CodeQL, Dependabot)
- •Before merging any PR
- •After pushing new commits to a PR
Workflow
1. Gather All Comments
bash
# Get inline review comments (Copilot, CodeQL, security bots)
gh api repos/{owner}/{repo}/pulls/{pr}/comments \
--jq '.[] | {user: .user.login, path: .path, line: .line, body: .body}'
# Get PR reviews
gh pr view {pr} --json reviews \
--jq '.reviews[] | {author: .author.login, state: .state, body: .body}'
# Get code scanning alerts
gh api repos/{owner}/{repo}/code-scanning/alerts \
--jq '.[] | select(.state == "open") | {number: .number, rule: .rule.id, description: .rule.description, file: .most_recent_instance.location.path, line: .most_recent_instance.location.start_line}'
2. Categorize and Prioritize
Priority 1 — Security (must fix before merge):
- •Hard-coded secrets/passwords/keys
- •Missing permissions blocks
- •SQL injection, XSS, command injection
- •Dependency vulnerabilities (Dependabot)
Priority 2 — Correctness (should fix):
- •Logic errors flagged by Copilot
- •Race conditions
- •Error handling gaps
Priority 3 — Style (fix if trivial):
- •Naming conventions
- •Code organization suggestions
- •Documentation gaps
3. Fix Each Issue
For each comment:
- •Read the flagged code in context
- •Understand the concern
- •Apply the fix
- •Verify with
cargo check/cargo test/ relevant test suite - •Run
cargo fmtafter all fixes
4. Commit and Verify
bash
# Stage fixes git add <fixed-files> # Commit with clear message referencing the alerts git commit -m "fix: address security/review findings - <list each fix> Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>" # Push and verify CI passes git push
5. Verify Alerts Resolved
bash
# Check code scanning alerts cleared
gh api repos/{owner}/{repo}/code-scanning/alerts \
--jq '.[] | select(.state == "open") | .number'
# Check PR review status
gh pr checks {pr}
Common Patterns
CodeQL: Hard-coded cryptographic values
Replace with runtime-generated values:
rust
// BAD: let secret = "default-secret"; // GOOD: let secret = generate_random_secret();
CodeQL: Missing workflow permissions
Add minimal permissions at workflow level:
yaml
permissions: contents: read
Copilot: Unused variables
Remove or prefix with underscore.
Copilot: Error handling
Add proper error propagation instead of unwrap().
Notes
- •Always run full test suite after applying fixes
- •Security fixes take priority over feature work
- •If a Copilot suggestion would change behavior, evaluate carefully before applying
- •For false positives, dismiss the review with a clear explanation