docs: add step-by-step walkthrough after review script

beran-t · beran-t · commit 1b0eaded1b55 · 2026-02-10T10:57:20.000-08:00
diff --git a/docs/use-cases/ci-cd.mdx b/docs/use-cases/ci-cd.mdx
@@ -96,9 +96,7 @@ jobs:
 
 ## Review Script
 
-The review script is called by the workflow above. It creates an E2B sandbox, clones the PR branch, collects the diff for AI analysis, runs the test suite, and posts results back to the pull request.
-
-The `GITHUB_TOKEN` provided by GitHub Actions authenticates git clone operations when paired with `x-access-token` as the username — this is the standard [GitHub Apps authentication pattern](https://docs.github.com/en/apps/creating-github-apps/authenticating-with-a-github-app/authenticating-as-a-github-app-installation). The `commands.run()` method throws on non-zero exit codes (`CommandExitError` in JavaScript, `CommandExitException` in Python), so test failures are caught with try/catch.
+The workflow calls this script on every PR. It runs five steps inside an E2B sandbox, keeping all untrusted code isolated from the CI runner.
 
 <CodeGroup>
 ```typescript review.mjs expandable
@@ -273,6 +271,18 @@ print("Done")
 ```
 </CodeGroup>
 
+### What the script does
+
+**Step 1 — Create a sandbox.** `Sandbox.create()` spins up a fresh Linux environment via the E2B API. The `timeoutMs` / `timeout` sets a 5-minute auto-destroy limit so forgotten sandboxes don't run up costs.
+
+**Step 2 — Clone the PR branch.** `sandbox.git.clone()` clones the repository inside the sandbox, not on the CI runner. The `GITHUB_TOKEN` provided by GitHub Actions authenticates the clone when paired with `x-access-token` as the username — this is the standard [GitHub Apps authentication pattern](https://docs.github.com/en/apps/creating-github-apps/authenticating-with-a-github-app/authenticating-as-a-github-app-installation). `depth: 1` makes it a shallow clone for speed.
+
+**Step 3 — AI code review.** `sandbox.commands.run()` executes `git diff` inside the sandbox and returns the output in `stdout`. The diff is then sent to an LLM (OpenAI GPT-4o in this example) with a system prompt asking for a code review. You can swap this for any model or provider — see [Connect LLMs](/docs/quickstart/connect-llms).
+
+**Step 4 — Run tests.** The test suite runs inside the sandbox with `onStdout` / `on_stdout` callbacks that stream output in real time to the GitHub Actions logs. The `commands.run()` method throws when a command exits with a non-zero code — `CommandExitError` in JavaScript, `CommandExitException` in Python — so test failures are caught with try/catch and cause the workflow to fail.
+
+**Step 5 — Post results.** The review is posted as a PR comment via the [GitHub REST API](https://docs.github.com/en/rest/issues/comments#create-an-issue-comment). The `GITHUB_TOKEN` has write access thanks to the `permissions` block in the workflow. Finally, `sandbox.kill()` destroys the sandbox immediately rather than waiting for the timeout.
+
 ## Related Guides
 
 <CardGroup cols={3}>
