GitHub Actions Integration

Automate code reviews on every pull request with Bop and GitHub Actions. This guide covers setup, configuration, and troubleshooting.

Quick Start

Add this workflow to .github/workflows/bop-review.yml:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
name: Bop Code Review

on:
  pull_request:
    types: [opened, synchronize, reopened]

permissions:
  contents: read
  pull-requests: write

jobs:
  review:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0  # Full history for accurate diffs

      - uses: delightfulhammers/bop/action@v1
        with:
          anthropic-api-key: ${{ secrets.ANTHROPIC_API_KEY }}

That’s it. One API key, one step, automatic PR reviews.

Action Inputs

Input	Default	Description
`anthropic-api-key`		Anthropic API key (recommended)
`openai-api-key`		OpenAI API key (optional)
`google-api-key`		Google Gemini API key (optional)
`base-ref`	`main`	Base branch to compare against
`block-threshold`	`none`	Severity threshold for blocking (`critical`, `high`, `medium`, `low`, `none`)
`reviewers`		Comma-separated reviewer personas
`post-findings`	`true`	Post findings as PR review comments
`fail-on-findings`	`false`	Fail the workflow if findings are detected
`log-level`	`info`	Log level (`trace`, `debug`, `info`, `error`)
`version`	`latest`	Bop version to install (e.g., `v0.7.2`)

Required Secrets

Configure at least one API key in your repository settings (Settings > Secrets and variables > Actions):

Secret	Required	Description
`ANTHROPIC_API_KEY`	Recommended	Anthropic Claude API key
`OPENAI_API_KEY`	Optional	OpenAI GPT API key
`GEMINI_API_KEY`	Optional	Google Gemini API key

The GITHUB_TOKEN is automatically provided by GitHub Actions.

Permissions

The workflow requires these permissions:

1
2
3
permissions:
  contents: read       # Read repository contents
  pull-requests: write # Post review comments

Configuration Options

Using Action Inputs

1
2
3
4
5
6
7
- uses: delightfulhammers/bop/action@v1
  with:
    anthropic-api-key: ${{ secrets.ANTHROPIC_API_KEY }}
    base-ref: develop
    block-threshold: high
    reviewers: security,architecture
    log-level: debug

Using a Config File

Include a bop.yaml or .bop.yaml in your repository root for full configuration:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
# bop.yaml
review:
  blockThreshold: high
  alwaysBlockCategories:
    - security

reviewers:
  security:
    provider: anthropic
    weight: 1.5
    persona: |
      You are a security engineer focusing on OWASP Top 10.
    focus:
      - security

defaultReviewers:
  - default
  - security

Block Threshold

The block-threshold input controls when the action fails (blocks the PR):

Value	Blocks On
`critical`	Only critical findings
`high`	Critical and high findings
`medium`	Critical, high, and medium
`low`	All findings
`none`	Never blocks (comment only)

Skip Triggers

Skip reviews on certain commits by including keywords in the commit message:

[skip bop]
[bop skip]
[skip review]
[no review]

Example:

1
git commit -m "chore: update deps [skip bop]"

Advanced Workflows

Review Only on Specific Paths

1
2
3
4
5
6
7
on:
  pull_request:
    paths:
      - 'src/**'
      - 'lib/**'
      - '!**/*.md'
      - '!**/*.txt'

Multiple Providers

1
2
3
4
5
6
- uses: delightfulhammers/bop/action@v1
  with:
    anthropic-api-key: ${{ secrets.ANTHROPIC_API_KEY }}
    openai-api-key: ${{ secrets.OPENAI_API_KEY }}
    google-api-key: ${{ secrets.GEMINI_API_KEY }}
    reviewers: security,architecture,performance

Pin a Specific Version

1
2
3
4
- uses: delightfulhammers/bop/action@v1
  with:
    anthropic-api-key: ${{ secrets.ANTHROPIC_API_KEY }}
    version: v0.7.2

Branch Protection Integration

Configure branch protection to require Bop reviews:

Go to Settings > Branches > Branch protection rules
Click Add rule for your main branch
Enable Require status checks to pass before merging
Search for and select the Bop workflow job name

Output and Artifacts

Step Summary

Bop writes a summary to the GitHub Actions step summary, visible on the workflow run page.

SARIF Upload

Upload SARIF results to GitHub Code Scanning:

1
2
3
4
5
6
7
8
9
- uses: delightfulhammers/bop/action@v1
  with:
    anthropic-api-key: ${{ secrets.ANTHROPIC_API_KEY }}

- name: Upload SARIF
  uses: github/codeql-action/upload-sarif@v3
  if: always()
  with:
    sarif_file: review-output/*.sarif

Artifact Upload

Save review artifacts for later analysis:

1
2
3
4
5
6
7
- name: Upload Review Artifacts
  uses: actions/upload-artifact@v4
  if: always()
  with:
    name: bop-review
    path: review-output/
    retention-days: 7

Manual Installation (Alternative)

If you prefer not to use the composite action:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
- name: Install Bop
  run: |
    curl -LO https://github.com/delightfulhammers/homebrew-tap/releases/latest/download/bop-linux-amd64.tar.gz
    tar xzf bop-linux-amd64.tar.gz
    sudo mv bop bop-mcp /usr/local/bin/

- name: Run Code Review
  env:
    GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
    ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}
  run: bop github-action

Platform Integration (Coming Soon)

Bop Pro will add OIDC-based platform authentication for GitHub Actions, enabling:

Keyless authentication (no API key secrets needed)
Centralized team configuration
Usage analytics and budget controls

To prepare for OIDC, add this permission to your workflow:

1
2
permissions:
  id-token: write  # Required for OIDC (Pro feature)

Troubleshooting

“Resource not accessible by integration”

This error means the GITHUB_TOKEN lacks permissions. Ensure your workflow has:

1
2
3
permissions:
  contents: read
  pull-requests: write

“No findings posted”

Check that post-findings is true (default)
Verify the PR has actual code changes (not just markdown)
Check the workflow logs for errors

“Rate limited”

LLM providers have rate limits. Solutions:

Reduce the number of reviewers
Skip review on certain paths (documentation, etc.)
Use faster/cheaper models in your config

Timeout Issues

Large PRs may timeout. Solutions:

Increase workflow timeout:

1
2
3
jobs:
  review:
    timeout-minutes: 30

Use faster models in your bop.yaml:

1
2
3
4
reviewers:
  quick:
    provider: gemini
    model: gemini-3-flash-preview

Split large PRs into smaller ones

Debug Mode

Enable debug logging:

1
2
3
4
- uses: delightfulhammers/bop/action@v1
  with:
    anthropic-api-key: ${{ secrets.ANTHROPIC_API_KEY }}
    log-level: debug

Cost Considerations

Each PR review uses LLM API tokens. Estimated costs vary by:

PR size: Larger diffs = more tokens
Number of reviewers: More reviewers = more API calls
Verification: Enabling verification adds ~30% cost

To manage costs:

Use the default single reviewer (cheapest option)
Use faster models (Gemini Flash) for custom reviewers
Skip verification on non-critical repos
Use path filters to skip non-code files

Security Best Practices

Use secrets for API keys - Never hardcode API keys
Limit permissions - Only grant required permissions
Review workflow changes - Require approval for workflow modifications
Enable redaction - Prevent secrets in code from reaching LLMs

Documentation