|
| 1 | +# PR / MR Review Skill |
| 2 | + |
| 3 | +Use this skill when the user asks to **review a pull request or merge request** — |
| 4 | +typically with a prompt like: |
| 5 | + |
| 6 | +> `review <MR/PR URL>` (target develop branch) |
| 7 | +> |
| 8 | +> Is this a good PR? |
| 9 | +> Safe? No regressions? |
| 10 | +> Good UX? |
| 11 | +> No security issues? |
| 12 | +> Well documented? |
| 13 | +> Safe to merge? |
| 14 | +
|
| 15 | +This skill is for reviewing **someone else's** PR/MR at a URL. It is distinct |
| 16 | +from `.claude/skills/code-review.md`, which is the pre-commit self-review |
| 17 | +checklist applied to my own changes before returning them to the user. |
| 18 | + |
| 19 | +## Ground Rules |
| 20 | + |
| 21 | +1. **Never push, merge, approve, or comment on the PR** from this skill unless |
| 22 | + the user explicitly asks. Produce a written review for the user to act on. |
| 23 | +2. **Do not modify files** in the working copy as part of the review. Reviewing |
| 24 | + is read-only. |
| 25 | +3. Reference specific **files and line numbers** whenever citing an issue. |
| 26 | +4. If the PR targets a branch **other than `develop`**, call this out as the |
| 27 | + first finding. The expected target for this repo is `develop`. |
| 28 | +5. Keep findings factual and specific — quote the diff where useful. |
| 29 | + |
| 30 | +## Step 1 — Detect the URL and fetch PR metadata |
| 31 | + |
| 32 | +Identify the host from the URL. |
| 33 | + |
| 34 | +### GitHub PR (`github.com/<owner>/<repo>/pull/<NN>`) |
| 35 | + |
| 36 | +Prefer the `gh` CLI via Bash: |
| 37 | + |
| 38 | +```bash |
| 39 | +gh pr view <NN> --repo <owner>/<repo> --json \ |
| 40 | + title,body,author,state,mergeable,mergeStateStatus,baseRefName,headRefName,\ |
| 41 | + additions,deletions,changedFiles,files,statusCheckRollup,reviews,comments,url |
| 42 | + |
| 43 | +gh pr diff <NN> --repo <owner>/<repo> |
| 44 | +gh pr checks <NN> --repo <owner>/<repo> |
| 45 | +``` |
| 46 | + |
| 47 | +If a GitHub MCP server is configured, `pull_request_read` methods |
| 48 | +(`get`, `get_diff`, `get_files`, `get_status`, `get_reviews`, |
| 49 | +`get_comments`, `get_review_comments`) are equivalent. |
| 50 | + |
| 51 | +### GitLab MR (`gitlab.aws.dev/<group>/<project>/-/merge_requests/<NN>`) |
| 52 | + |
| 53 | +Use the `glab` CLI: |
| 54 | + |
| 55 | +```bash |
| 56 | +glab mr view <NN> --repo <group>/<project> |
| 57 | +glab mr diff <NN> --repo <group>/<project> |
| 58 | +glab mr note list <NN> --repo <group>/<project> |
| 59 | +glab ci status --repo <group>/<project> |
| 60 | +``` |
| 61 | + |
| 62 | +Fallback — `curl` against the GitLab API: |
| 63 | + |
| 64 | +```bash |
| 65 | +PROJECT=$(python3 -c "import urllib.parse,sys;print(urllib.parse.quote_plus(sys.argv[1]))" \ |
| 66 | + "<group>/<project>") |
| 67 | +TOKEN="${GITLAB_TOKEN:-$(yq -r .token ~/.config/glab-cli/config.yml 2>/dev/null)}" |
| 68 | +curl -sH "PRIVATE-TOKEN: $TOKEN" \ |
| 69 | + "https://gitlab.aws.dev/api/v4/projects/$PROJECT/merge_requests/<NN>" |
| 70 | +curl -sH "PRIVATE-TOKEN: $TOKEN" \ |
| 71 | + "https://gitlab.aws.dev/api/v4/projects/$PROJECT/merge_requests/<NN>/changes" |
| 72 | +``` |
| 73 | + |
| 74 | +### Collect at minimum |
| 75 | + |
| 76 | +- PR/MR title, description, author |
| 77 | +- Source branch → target branch (confirm target is `develop`) |
| 78 | +- CI / pipeline status |
| 79 | +- List of changed files with insertions / deletions |
| 80 | +- The full diff |
| 81 | +- Existing reviews and comments |
| 82 | +- Linked issues, if any |
| 83 | + |
| 84 | +For larger PRs (> ~500 lines changed or touching unfamiliar modules), read key |
| 85 | +changed files in full — not just the diff — using the `Read` tool on paths at |
| 86 | +the head ref so surrounding context is captured. |
| 87 | + |
| 88 | +## Step 2 — Evaluate the six review questions |
| 89 | + |
| 90 | +Work through each question. Reuse project coding-standards knowledge from the |
| 91 | +other skill files (`backend-lambda.md`, `frontend-ui.md`, `infrastructure.md`, |
| 92 | +`documentation.md`, `testing-qa.md`, `code-review.md`). |
| 93 | + |
| 94 | +### 1. Is this a good PR? |
| 95 | +- Scope is focused (single feature / fix / refactor; not a grab-bag) |
| 96 | +- Title is descriptive and follows convention (e.g. `feat:`, `fix:`, `docs:`) |
| 97 | +- Description explains **what** and **why**, and links to an issue when applicable |
| 98 | +- Targets `develop` (flag otherwise) |
| 99 | +- CI is green (or failures are understood) |
| 100 | +- Size is reviewable — very large PRs should be called out |
| 101 | + |
| 102 | +### 2. Safe? No regressions? |
| 103 | +- New/changed logic has **unit tests**; assertions are meaningful |
| 104 | +- Existing tests are not deleted or weakened without justification |
| 105 | +- Backward compatibility maintained for shared interfaces: |
| 106 | + - `Document` model and its serialization |
| 107 | + - Config schemas under `config_library/` |
| 108 | + - GraphQL schema and generated types in `src/ui/src/graphql/generated/` |
| 109 | + - Lambda handler event/response contracts |
| 110 | +- No obvious race conditions, unbounded loops, or missing pagination |
| 111 | +- Error handling uses explicit exceptions (no bare `except:`), with `exc_info=True` |
| 112 | +- No removal of observability (X-Ray `patch_all`, structured logging) |
| 113 | + |
| 114 | +### 3. Good UX? |
| 115 | +- **Frontend** (`src/ui/`): |
| 116 | + - Cloudscape Design System components (not MUI / AntD / Bootstrap) |
| 117 | + - Loading, empty, and error states handled |
| 118 | + - Arrow-function components; hooks in kebab-case files |
| 119 | + - `ConsoleLogger` used, no stray `console.log` |
| 120 | + - Accessibility: labels on inputs, keyboard nav, focus management |
| 121 | + - `DOMPurify` used for any `dangerouslySetInnerHTML` |
| 122 | + - Responsive behavior reasonable |
| 123 | +- **Backend / API**: |
| 124 | + - Actionable error messages; failures surface to the UI (e.g. status on `Document`) |
| 125 | + - Progress / status updated at meaningful checkpoints |
| 126 | + - Sensible defaults; new required config has migration guidance |
| 127 | + |
| 128 | +### 4. No security issues? |
| 129 | +- No hardcoded credentials, API keys, or tokens |
| 130 | +- No full JWTs logged in plaintext (Talos finding #10) |
| 131 | +- No hardcoded `arn:aws:` partitions — must use `${AWS::Partition}` |
| 132 | + (validated by `make check-arn-partitions`) |
| 133 | +- No hardcoded `amazonaws.com` — must use `${AWS::URLSuffix}` |
| 134 | +- IAM policies scoped — no `Resource: "*"` or wildcard S3 ARNs without |
| 135 | + written justification |
| 136 | +- `PermissionsBoundary` conditional present on new IAM roles |
| 137 | +- New Lambdas have a dedicated `AWS::Logs::LogGroup` with KMS encryption |
| 138 | +- Input validation on new API surfaces; DOMPurify on HTML render paths |
| 139 | +- New Python/npm dependencies are pinned and from trusted sources |
| 140 | +- `cfn-nag` / `checkov` suppressions include `reason:` metadata |
| 141 | +- No new public S3 buckets, public SNS topics, or open security groups |
| 142 | + |
| 143 | +### 5. Well documented? |
| 144 | +- User-facing changes update `CHANGELOG.md` |
| 145 | +- Feature docs added/updated under `docs/` with: |
| 146 | + - YAML frontmatter (`title:` required) |
| 147 | + - License header after frontmatter |
| 148 | +- Cross-references to related docs added where helpful |
| 149 | +- Public functions/classes have docstrings |
| 150 | +- Complex logic has inline comments explaining *why* |
| 151 | +- If GraphQL schema changed, `make codegen` has been run and generated files |
| 152 | + are included in the PR (or a note explains why not) |
| 153 | + |
| 154 | +### 6. Safe to merge? |
| 155 | +- Targets `develop` ✅ |
| 156 | +- CI / pipeline green ✅ |
| 157 | +- No unresolved review comments on the latest commit |
| 158 | +- No merge conflicts |
| 159 | +- `VERSION` / version bump done if required by change scope |
| 160 | +- No leftover `TODO` / `FIXME` / debug prints / commented-out code blocks |
| 161 | +- Migration notes provided for any breaking change |
| 162 | + |
| 163 | +## Step 3 — Produce the review |
| 164 | + |
| 165 | +Output the review in this exact structure so the user can paste it or act on it: |
| 166 | + |
| 167 | +```markdown |
| 168 | +## PR/MR Review: <title> (#<NN>) |
| 169 | +**Repo:** <owner/repo> |
| 170 | +**Author:** @<author> |
| 171 | +**Source → Target:** `<source>` → `<target>` <!-- ⚠️ if not develop --> |
| 172 | +**CI status:** ✅ passing | ❌ failing | ⏳ pending |
| 173 | +**Size:** +<insertions> / -<deletions> across <N> files |
| 174 | + |
| 175 | +### Summary |
| 176 | +<1–3 sentence plain-English description of what this PR does.> |
| 177 | + |
| 178 | +### Verdict |
| 179 | + |
| 180 | +| Question | Verdict | Notes | |
| 181 | +|---|---|---| |
| 182 | +| Good PR? | ✅ / ⚠️ / ❌ | … | |
| 183 | +| Safe / no regressions? | … | … | |
| 184 | +| Good UX? | … / N/A | … | |
| 185 | +| No security issues? | … | … | |
| 186 | +| Well documented? | … | … | |
| 187 | +| **Safe to merge?** | ✅ Approve / ⚠️ Request changes / ❌ Block | … | |
| 188 | + |
| 189 | +### Findings |
| 190 | +- 🔴 **Blocking** — <file>:<line> — description + suggested fix |
| 191 | +- 🟡 **Should fix** — <file>:<line> — description |
| 192 | +- 🟢 **Nice to have** — <file>:<line> — description |
| 193 | + |
| 194 | +### Recommendation |
| 195 | +**Approve** / **Request changes** / **Comment** |
| 196 | + |
| 197 | +<one-paragraph rationale> |
| 198 | +``` |
| 199 | + |
| 200 | +Legend: |
| 201 | +- ✅ pass / 🟢 nit — non-blocking |
| 202 | +- ⚠️ / 🟡 — should fix before merge |
| 203 | +- ❌ / 🔴 — blocking; must fix before merge |
| 204 | + |
| 205 | +## Step 4 — After delivering the review |
| 206 | + |
| 207 | +- Do **not** post the review as a PR/MR comment unless the user explicitly |
| 208 | + said "post this as a review comment" or similar. |
| 209 | +- If the user asks follow-up questions, re-use the already-fetched diff / |
| 210 | + metadata rather than re-fetching. |
| 211 | +- If the user asks you to implement the requested changes, switch context: |
| 212 | + treat it as a new implementation task following the relevant skill files. |
| 213 | + |
| 214 | +## Quick Reference — Common Red Flags |
| 215 | + |
| 216 | +Flag these immediately when seen in any diff: |
| 217 | + |
| 218 | +- `arn:aws:` literal in a CloudFormation / SAM template |
| 219 | +- `amazonaws.com` literal (should be `${AWS::URLSuffix}`) |
| 220 | +- `Resource: "*"` in a new IAM policy statement |
| 221 | +- `Principal: "*"` in a new resource policy |
| 222 | +- `console.log(` in production UI code |
| 223 | +- `print(` used for logging in Lambda code |
| 224 | +- New Lambda without dedicated LogGroup + KMS |
| 225 | +- New IAM role without a `PermissionsBoundary` conditional |
| 226 | +- Secrets / access keys / JWTs in code, logs, or tests |
| 227 | +- Deleted tests without a replacement |
| 228 | +- Schema change in `src/ui/src/graphql/schema.graphql` without regenerated |
| 229 | + files under `src/ui/src/graphql/generated/` |
| 230 | +- `Document` model field removed or renamed without a migration path |
| 231 | +- Wildcards in S3 bucket/object ARNs without `reason:` metadata |
0 commit comments