You know that PR review comment.
"Did you mean to leave this
console.log?"
Or worse:
"This looks like a hardcoded API key."
These are the avoidable ones. The embarrassing ones. The ones that make you wish the CI had caught it before your reviewer did.
I built a GitHub Action for this: Review Ready.
name: Review Ready
on:
pull_request:
branches: [main, master]
jobs:
review-ready:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- uses: yurukusa/review-ready@v0.1.0
That's it. Add this to your repo. When someone opens a PR, it scans the changed lines and outputs inline annotations for anything suspicious.
What it catches
Debug statements — console.log, debugger, Python's print(), Ruby's puts, Go's fmt.Print, Rust's println!, PHP's var_dump and dd(). Only in newly-added lines, not the whole codebase.
TODO/FIXME debt — TODO, FIXME, HACK, XXX, TEMP, WTF, BUG in code you just wrote. Old TODOs are fine. New ones in a PR signal incomplete work.
Secrets — AWS access keys, GitHub PATs (ghp_), OpenAI API keys (sk-), Slack tokens (xox), hardcoded passwords and API keys. Skips test/mock/fixture files — they legitimately contain fake credentials.
Large files — accidentally staged files over 500KB. Binary assets, built artifacts, database dumps.
Missing tests — source files changed without a corresponding test file. Checks .test.ts, .spec.ts, __tests__/, test_ prefixes. Skips index.ts, types.ts, config.ts — those don't need tests.
Complexity — high cyclomatic complexity in new JS/TS code. Counts branches (if/else/while/for/&&/||) in added lines. If you added 20+ lines with 10+ branches, it'll flag it.
The annotations
When it finds something, you get inline PR annotations:
::error file=src/auth.ts,line=42::[review-ready/no-secrets] Possible API key detected
::warning file=src/utils.ts,line=15::[review-ready/no-todo-in-changes] Unresolved marker: // TODO: validate input
::notice file=src/payment.ts::[review-ready/test-file-exists] No test file found for payment.ts
Errors show up as blocking annotations in the PR diff. Warnings and info are informational.
Configuration
All checks are independently configurable:
- uses: yurukusa/review-ready@v0.1.0
with:
no-debug-statements: true
no-todo-in-changes: true
no-secrets: true
no-large-files: true
test-coverage: true
complexity: true
complexity-threshold: 10
fail-on: error # "error" | "warning" | "never"
Set fail-on: never if you want the annotations without blocking the PR.
VS Code Extension
There's also a VS Code extension that runs the same checks locally — before you even push. Results appear in the Activity Bar with a colored status bar.
MCP Server (Claude Code / Claude Desktop)
If you use Claude Code or Claude Desktop, there's also an MCP server that lets you ask Claude to run the checks directly:
{
"mcpServers": {
"review-ready": {
"command": "npx",
"args": ["review-ready-mcp"]
}
}
}
Then: "Check my changes before I push" — Claude calls check_changes on your repo and reports inline.
Available on npm: review-ready-mcp
How it works
The action runs git diff against the base branch to get only the changed lines. This is intentional — it doesn't lint your whole codebase, just what's new in this PR.
Each check is a pure function: (changedLines, filename) → CheckResult[]. The CLI wraps them, formats GitHub Actions annotations, and exits with the right code.
The whole thing is 11KB. Zero external dependencies in the action bundle.
GitHub: yurukusa/vscode-review-ready | npm: review-ready | MCP: review-ready-mcp | Live demo
One workflow file. No setup. Catches the obvious stuff.
What's your most embarrassing PR review comment?
More tools: Dev Toolkit — 200 free browser-based tools for developers. JSON, regex, colors, CSS, SQL, and more. All single HTML files, no signup.
Top comments (0)