glue-review
Open source · MIT · runs on your key

AI code review, for AI coding agents.

glue-review posts one GitHub comment per PR — a short headline, severity bullets, and a paste-ready fix block your coding agent (Claude Code, Codex, Cursor, Aider, …) applies in one step.

Install in 2 minutes View on GitHub
Free with an OpenRouter key · also works with NVIDIA build.nvidia.com and Gemini · zero platform fee
01 The problem

PR review was written for humans skimming sections.

Existing review tools — bots and humans alike — produce prose. A Summary, an Issues list, a Suggestions list, an Open questions list. Great for a developer paging through Friday-afternoon PRs. Terrible for the AI coding agent that’s actually going to apply the fix.

Coding agents like Claude Code, Codex, Cursor, Aider, Cline, Gemini CLI, and OpenCode are good at following structured directives. They’re less good at parsing English to figure out what the reviewer meant. Give them a paragraph and they ask three clarifying questions. Give them a numbered list with file:line refs and a one-line acceptance check, and they just do the thing.

glue-review’s output is shaped to be the input of the next agent in the loop. One comment, scannable by humans on top, paste-ready by agents on the bottom.

02 What you get

One comment. A headline, severity bullets, and a paste-ready fix block.

Every PR opened against your repo gets exactly one sticky comment. Re-runs update in place; a transient upstream rate-limit never overwrites a previous good review.

A real glue-review comment on a GitHub PR: SQL injection flagged with three severity bullets and a fenced markdown fix block.
Live comment from the smoke PR. The action posts; the comment is what your coding agent reads.

The fenced ```markdown block at the bottom is the product. A real coding agent reads it, applies the change, and the acceptance check closes the loop. When there’s no real finding, the comment is just No concerns — LGTM. with no fix block. When the approach is wrong, a third variant — Pushback on approach — emits a design-level rebuttal with a redirection block instead of per-line tweaks.

03 Install

Two minutes.

Drop one workflow file in your repo and add a free OpenRouter key as OPENROUTER_API_KEY: 

# .github/workflows/glue-review.yml
on:
  pull_request:
    types: [opened, synchronize, reopened, ready_for_review]

permissions:
  contents: read
  issues: write
  pull-requests: write

jobs:
  review:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
        with:
          ref: ${{ github.event.pull_request.head.sha }}
          fetch-depth: 0
      - uses: erain/glue/agents/glue-review@main
        with:
          openrouter-api-key: ${{ secrets.OPENROUTER_API_KEY }}

That’s it. The next PR you open gets a review comment. Want a different provider? Pass provider: nvidia with nvidia-api-key for build.nvidia.com’s free tier, or provider: gemini with gemini-api-key for Google’s. Chain them (provider: openrouter,nvidia,gemini) for free-tier reliability — the action walks the chain, first one with a working key wins.

Fork PRs need a second workflow triggered by a maintainer typing /glue-review, since GitHub doesn’t pass secrets to pull_request runs from forks. The README has the snippet.

04 Open by default

Your key. Your provider. Your code never leaves the loop.

glue-review has no backend. Nothing to sign up for. No bot account to authorise on your repo. No quota you can hit. The action runs entirely inside your GitHub Actions runner, talks directly to your LLM provider with your key, and posts the comment with your workflow’s GITHUB_TOKEN.

Default
OpenRouter
ring-2.6-1t:free — $0 per PR, ~20 req/min ceiling. The free tier the eval runs against.
Free dev tier
NVIDIA build.nvidia.com
moonshotai/kimi-k2.6 by default. Free with sign-up, generous rate limits.
Free tier exists
Google Gemini
gemini-2.5-flash. Drop in by setting gemini-api-key.

Want higher rate limits or a stronger model? Pay your provider directly for a paid key and the action picks it up unchanged. There is no platform fee, no per-seat pricing, no “contact sales” page. Open source under MIT, and the agent itself is ~300 LOC of Go you can audit in an afternoon.

05 Evidence

Measured against a 28-case planted-bug eval.

The prompt isn’t vibes. It’s the result of iterating against a 28-case planted-bug suite at erain/glue-review-eval — Go, Python, and TypeScript host projects with SQL injection, missing auth, off-by-one, missing tests, stale docs, rejected- direction refactors, multi-bug PRs, and clean PRs. Every case ships a YAML sidecar with the planted bug, expected findings, and a machine-checkable acceptance test. Scored against openrouter/inclusionai/ring-2.6-1t:free — the free path the install snippet above uses.

Signal Initial Current Delta
has_fix_block — fenced ```markdown after Fix instructions 0.11 0.82 +70.4pp
no_false_positives 0.96 1.00 +3.7pp
flagged_file 0.93 0.85 −7.4pp
flagged_concept 0.90 0.86 −4.0pp

has_fix_block is the product-shaping metric: does the comment carry a fenced markdown block downstream coding agents can paste? It went from essentially never to 82%, with zero invented findings. The recall regressions are the price of a tighter format — the model spends some of its turn budget on the structural rubric.

Downstream-fix success — the closer-to-truth product KPI — is measured by piping the fix block into codex exec in a fresh sandbox and checking whether the planted-bug acceptance test transitions red → green. 6 of 8 = 75% on cases where the agent produced a fix block and the executor didn’t error mid-run. Per-case breakdown, methodology, and repro instructions in the final report.

06 Built on glue

The first agent on a small Go harness, not a one-off.

glue-review is ~300 LOC of Go on top of glue — a minimal agent framework: provider-agnostic loop with deterministic tool execution, file-backed sessions, an embedded prompt catalog, a tool registry, and a multi-provider failover that walks openrouter,nvidia,gemini until one responds. The library is pre-1.0 but the Agent / Session surface has been stable in practice.

Want a security-focused / performance-focused / docs-focused reviewer instead? Fork agents/glue-review/main.go, swap the embedded prompt, ship it as your own Action: 

// agents/my-reviewer/prompt.go
import _ "embed"

//go:embed prompts/default.md
var systemPrompt string

// agents/my-reviewer/prompts/default.md
//   "You are a security-focused PR reviewer. Only flag SQL injection,
//    XSS, missing auth, and secret-in-diff issues. ..."

Same provider failover, same session machinery, same composite Action template. The product surface — one comment per PR, fenced markdown fix block — is just one prompt away.

07 FAQ

Anticipated skepticism.

Why one comment instead of inline?

Inline comments scatter intent across the diff. Coding agents have to gather them, deduplicate, and re-order before they can act. A single comment with a numbered fix-block lets the agent paste once and execute in order. Humans get the headline and severity bullets at the top of the same comment — best of both shapes.

Free models can’t be that good, can they?

The default model (inclusionai/ring-2.6-1t:free on OpenRouter) identified SQL injection, missing auth, off-by-ones, and stale docs at human-reviewer level in the eval. Where it struggles is subjective design questions and large refactor PRs — same as everyone. If a free tier 429s mid-batch, glue-review falls back to your next provider in the chain without dropping the comment.

Does the agent see my source code? Where does it run?

It runs inside your repo’s GitHub Actions runner, on a throwaway VM that GitHub provisions per workflow. It reads your diff plus the files the model decides to fetch — gated by a built-in blocklist that refuses to open .env*, id_rsa*, *.pem, *.key, credentials.json, secret.*, and .aws / .gcloud / .azure paths (extendable, can’t be shrunk). The model sees only what the runner sends; we never proxy or log anything.

Does it work on fork PRs?

Yes, with a second workflow triggered by a maintainer typing /glue-review on the PR. That workflow runs in the base-repo context with full secret access, fires only for OWNER / MEMBER / COLLABORATOR comments, and pins the head SHA at trigger time so a fork can’t swap code into the run. Both snippets are in the README.

Will the comment shape change under me?

No. The shape is the product. Anything we change in the prompt gets measured against the eval suite before it lands; anything that regresses the headline metric doesn’t ship. Pin @main for the rolling latest, or pin a specific commit SHA if you want it frozen.

Can I customise what it looks for?

Yes — pass prompt: to the Action input (or --prompt on the CLI) to override the user message: “only check for SQL injection”, “only review the migration files”, “flag any new dependency without a version pin”. For a deeper change — different output shape, domain-specific checklist — fork the agent (§06).

One comment. Paste-ready. On your key.

Two minutes to install. The next PR you open gets reviewed.

Install in 2 minutes