BugBot — AI GitHub Code Review

Autonomous PR review bot: HMAC-verified webhooks → BullMQ workers → 3-stage GPT-4.1-mini pipeline that posts inline GitHub suggestions. Reduces LLM calls by ~60% by skipping Stage 3 for non-critical issues.

BugBot — AI analysis on a GitHub PR

// AI Systems / Developer Tools / Distributed Systems
BugBot reviewing a pull request: GitHub diff with AI security findings and inline suggestions
BugBot
3-stage AI pipeline · HMAC-verified webhooks · diff line snapping · ~60% LLM call reduction
  • Built an AI-powered GitHub code review system that automatically analyzes pull requests and posts inline review comments — mimicking a senior engineer.
  • Designed an event-driven architecture using GitHub Webhooks → Hono server → BullMQ queue → distributed workers for scalable async processing.
  • Implemented a multi-stage AI pipeline:
    • summarize code changes
    • identify bugs & security issues (structured JSON)
    • generate inline fix suggestions (GitHub-compatible)
  • Stage 3 (fix suggestion) only runs for bug and security type issues — skipping style and low-severity findings cuts LLM calls by ~60% on average PRs.
  • Engineered a diff chunking system to handle large PRs efficiently, with token-aware splitting and global processing limits.
  • Solved the GitHub diff line problem with snapToNearestDiffLine —
    • AI returns absolute file line numbers; GitHub only accepts lines present in the diff hunk
    • snapper finds the nearest addedLines entry by absolute distance, preventing 422 errors
    • deduplication filters issues whose description already exists in PR comments, preventing duplicate noise on force-push re-triggers
  • On synchronize (force-push) events, before/after SHA comparison filters out already-reviewed files — only the net-new diff gets re-processed, not the entire PR.
  • Integrated GitHub App authentication using @octokit/app for secure, installation-based access across repositories.
  • Designed persistent job tracking system using PostgreSQL (Prisma) to monitor processing status, failures, and token usage.
  • Optimized system for reliability:
    • crypto.timingSafeEqual HMAC verification with typed failure reasons (missing_secret, length_mismatch, mismatch)
    • x-github-delivery header as idempotency key — same webhook delivery never processes twice
    • 3 retries with exponential backoff via BullMQ; ReviewJob marked failed with error message after exhausting
    • 202 Accepted returned to GitHub immediately — worker decoupled so GitHub's 10s timeout is never at risk
  • Packaged as a TypeScript monorepo with shared config + DB layers for scalability and maintainability.

// tech

HonoBullMQRedisOpenAIOctokitPostgreSQLPrismaTypeScriptgpt-4.1-miniDocker
Previous: Voice AgentNext: Voice Agent