Build an AI PR Reviewer with GitHub Actions (AWS Bedrock + Terraform + Python)

Build an AI PR Reviewer with GitHub Actions (AWS Bedrock + Terraform + Python)

scotty profile picture

Scotty Parlor

March 3, 2026

Read Time 4 min

TL;DR

We’ll create a workflow where every pull request triggers a GitHub Action that:

  1. extracts the PR diff

  2. sends it to AWS Bedrock for analysis

  3. posts the review back as a PR comment

Follow along here:

  

Architecture

Pull Request → GitHub Actions → PR Diff → Bedrock InvokeModel → Review Output → PR Comment

Prerequisites

  • Terraform installed

  • AWS credentials configured locally (or via CI)

  • A GitHub repo to host the workflow + script

  • A Bedrock model enabled in your AWS account/region

  • Copilot or another LLM

Step 1 — Create your project structure

Structure:

  • infra/ (Terraform for AWS resources)

  • scripts/ (Python code that calls Bedrock + comments on PR)

  • .github/workflows/ (GitHub Actions workflow)

Step 2 — Provision baseline Terraform infrastructure

In infra/, define the following utilizing copilot:

  • S3 bucket for Terraform remote state

    • encryption enabled

    • versioning enabled

    • public access blocked

  • DynamoDB table for state locking

This gives you the “real world” Terraform baseline (especially if you expand this project later).

Step 3 — Configure GitHub OIDC → AWS IAM Role (Terraform)

Create:

  1. OpenID Connect Provider for GitHub Actions

  2. IAM Role that can be assumed via sts:AssumeRoleWithWebIdentity

  3. Restrict the trust policy to your repo (ex: repo:OWNER/REPO:*)

  4. Attach the minimum permissions your workflow needs, such as:

    • bedrock:InvokeModel

    • logs:CreateLogGroup

    • logs:CreateLogStream (and typically log write permissions if you add them)

This avoids storing long-lived AWS keys in GitHub secrets.

Step 4 — Add the GitHub Actions workflow

Create .github/workflows/ai-pr-review.yml that triggers on pull_request and includes:

  • checkout the repository

  • configure AWS credentials (OIDC assume role)

  • extract the PR diff

  • run your Python reviewer script

  • post the output as a PR comment

Required workflow permissions typically include:

  • id-token: write

  • contents: read

  • pull-requests: write

Add a GitHub secret for your AWS role ARN (ex: AWS_ROLE_ARN) and reference it in the workflow.

Step 5 — Write the Python Bedrock reviewer script

Your script should:

  1. Read the diff text (limit size so you don’t exceed model input)

  2. Build a structured “DevOps PR Review” prompt (security, performance, best practices)

  3. Call Bedrock via boto3 invoke_model

  4. Parse the response

  5. Post the response back to the PR using GitHub’s API

Keep the output readable:

  • start with a short summary

  • list risks + recommendations in bullets

  • include “actionable next steps”

Step 6 — Test end-to-end

  • Create a branch

  • Make a small change (README edit)

  • Open a pull request

  • Confirm the workflow runs and posts a comment

Then test a “security scenario”:

  • add intentionally risky Terraform (ex: open ingress / missing SG / hardcoded AMI)

  • open another PR

  • verify the AI calls out the issues

Next ideas (optional)

  • Add Terraform fmt/validate/plan steps in CI

  • Add policy-as-code checks (OPA/Conftest)

  • Store review output as an artifact

  • Add “severity scoring” in the prompt