nitpik 1.4.0

AI-powered code review CLI
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101

name: nitpik
description: AI-powered code review — run nitpik in your GitHub Actions workflow
author: nitpik

branding:
  icon: search
  color: purple

inputs:
  version:
    description: "nitpik version to use (e.g. 'v0.1.0', 'latest')"
    required: false
    default: latest
  args:
    description: "Arguments to pass to nitpik (default: review with GitHub format)"
    required: false
    default: ""
  profiles:
    description: "Comma-separated reviewer profiles"
    required: false
    default: backend
  diff_base:
    description: "Git ref to diff against (default: PR target branch)"
    required: false
    default: ""
  fail_on:
    description: "Exit non-zero on severity: info, warning, error"
    required: false
    default: ""
  scan_secrets:
    description: "Enable secret scanning before sending to LLM"
    required: false
    default: "false"
  agent:
    description: "Enable agentic mode (LLM explores your codebase)"
    required: false
    default: "false"

# ⚠ Security: API keys (ANTHROPIC_API_KEY, OPENAI_API_KEY, etc.) must be passed
#   via GitHub Secrets — never hardcode them in workflow files.
#   See: https://docs.github.com/en/actions/security-for-github-actions/security-guides/using-secrets-in-github-actions

runs:
  using: composite
  steps:
    - name: Determine diff base
      id: base
      shell: bash
      run: |
        if [ -n "${{ inputs.diff_base }}" ]; then
          echo "ref=${{ inputs.diff_base }}" >> "$GITHUB_OUTPUT"
        elif [ -n "$GITHUB_BASE_REF" ]; then
          echo "ref=origin/$GITHUB_BASE_REF" >> "$GITHUB_OUTPUT"
        else
          echo "::error::No diff base: set 'diff_base' input or run on a pull_request event"
          exit 1
        fi

    - name: Install nitpik
      shell: bash
      run: |
        set -euo pipefail
        VERSION="${{ inputs.version }}"
        if [ "$VERSION" = "latest" ]; then
          DOWNLOAD_URL="https://github.com/${{ github.action_repository }}/releases/latest/download/nitpik-x86_64-unknown-linux-gnu.tar.gz"
        else
          DOWNLOAD_URL="https://github.com/${{ github.action_repository }}/releases/download/${VERSION}/nitpik-x86_64-unknown-linux-gnu.tar.gz"
        fi
        curl -sSfL "$DOWNLOAD_URL" | tar xz -C /usr/local/bin
        chmod +x /usr/local/bin/nitpik

    - name: Run nitpik
      shell: bash
      run: |
        set -euo pipefail
        ARGS="${{ inputs.args }}"
        if [ -n "$ARGS" ]; then
          nitpik $ARGS
          exit $?
        fi

        CMD="nitpik review"
        CMD="$CMD --diff-base ${{ steps.base.outputs.ref }}"
        CMD="$CMD --profile ${{ inputs.profiles }}"
        CMD="$CMD --format github"

        if [ -n "${{ inputs.fail_on }}" ]; then
          CMD="$CMD --fail-on ${{ inputs.fail_on }}"
        fi

        if [ "${{ inputs.scan_secrets }}" = "true" ]; then
          CMD="$CMD --scan-secrets"
        fi

        if [ "${{ inputs.agent }}" = "true" ]; then
          CMD="$CMD --agent"
        fi

        echo "::group::nitpik review"
        eval $CMD
        echo "::endgroup::"