feat(actions): add GitHub App authentication support for review actions

[bdougie]

Description

This PR enhances the Continue review actions to support GitHub App authentication, enabling reviews to be posted as the Continue Agent bot instead of the github-actions bot. This provides a better user experience with proper bot identity and improved rate limits.

Key Changes:

1. Standardized GitHub App Authentication: All three review actions (base-review, general-review, detailed-review) now support GitHub App authentication by default with use_github_app: true.

2. Flexible Token System: Introduced a github-token input parameter that allows external workflows to pass their own GitHub App tokens, enabling full control over authentication. This was only because I could not test it locally without it being installed. I installed it on my bdougie/contributor.info#459 repo to test. cc @sestinj for installing https://github.com/apps/continue-agent

3. Smart Fallback Chain:

   • Priority: Explicitly provided token → Generated app token → Default GitHub Actions token - This keeps the existing working
   • Automatically falls back if app credentials are missing or app isn't installed

4. Simplified Base Action: The base-review action now delegates to detailed-review, eliminating duplicate code and ensuring consistent behavior. IMO - detailed review has all the value.

5. Zero-Config for External Users: External repositories can use the action with just CONTINUE_API_KEY.

6. Enhanced Security Features: - _Suggest in the review because I ran prettier on the existing code. @tomasz-stefaniak _

   • Workflow-level filtering: Only runs on PRs or when @continue-agent is mentioned
   • Authorization checks: Validates user permissions (OWNER/MEMBER/COLLABORATOR)
   • Input sanitization: Secure handling of custom prompts to prevent code injection
   • Multi-layer security: Defense in depth approach

7. Custom Review Prompts: Users can now provide specific instructions:

   • @continue-agent - Standard review
   • @continue-agent detailed - Detailed review
   • @continue-agent focus on security - Custom focus area
   • Prompts are sanitized and handled securely

Authentication Flow:

# Simplest usage - uses default GitHub Actions token
- uses: continuedev/continue/actions/base-review@main
  with:
    continue-api-key: ${{ secrets.CONTINUE_API_KEY }}

# With GitHub App (auto-generates token internally)
- uses: continuedev/continue/actions/base-review@main
  with:
    continue-api-key: ${{ secrets.CONTINUE_API_KEY }}
    app-id: ${{ secrets.CONTINUE_APP_ID }}
    app-private-key: ${{ secrets.CONTINUE_APP_PRIVATE_KEY }}

# External token (for users who generate their own)
- uses: continuedev/continue/actions/base-review@main
  with:
    continue-api-key: ${{ secrets.CONTINUE_API_KEY }}
    github-token: ${{ steps.generate-token.outputs.token }}

Security Improvements:

• Workflow filtering: Prevents unnecessary runs and secret exposure
• Comment sanitization: Treats user input as data, never as executable code
• Temp file usage: Avoids shell injection vulnerabilities
• Permission validation: Only authorized users can trigger reviews
• Resource protection: Reduces unnecessary workflow runs

Benefits:

• Branded Bot Identity: Reviews appear from continue-agent[bot] instead of github-actions[bot]
• Better Rate Limits: GitHub Apps have higher API rate limits
• Enhanced Security: Uses short-lived tokens instead of long-lived PATs
• Graceful Degradation: Works without app installation, just with reduced features
• User-Friendly Setup: Helpful error messages guide users through app installation if needed
• Flexible Reviews: Support for custom review instructions via comments

AI Code Review

• Team members only: AI review runs automatically when PR is opened or marked ready for review
• Team members can still trigger a review by commenting @continue-general-review or @continue-detailed-review, however this would be cleaner as a webhook in the future.

Checklist

• I've read the contributing guide
• The relevant docs, if any, have been updated or created
• The relevant tests, if any, have been updated or created

Screen recording or screenshot

[ When applicable, please include a short screen recording or screenshot - this makes it much easier for us as contributors to review and understand your changes. See this PR as a good example. ]

The main goal was allowing the app to comment instead of GitHub. The other changes were clean from the reviews.

Now use the GitHub App logo to comment.

Tests

[ What tests were added or updated to ensure the changes work as expected? ]

.github/workflows/test-continue-agent.yml is the test and will be deleted once confirmed working. We first need to add the CONTINUE_APP_PRIVATE_KEY & CONTINUE_APP_ID

---

Summary by cubic

Adds GitHub App authentication to the review actions so reviews post as continue-agent[bot] with better rate limits and short‑lived tokens. Defaults to the app and falls back to the standard Actions token if not configured.

• New Features

  • Support GitHub App auth in general-review and detailed-review via use_github_app (default true) with fallback to GITHUB_TOKEN.
  • Generate app tokens using actions/create-github-app-token with CONTINUE_APP_ID (variable) and CONTINUE_APP_PRIVATE_KEY (secret); pass GH_TOKEN to checkout and github-script.
  • Update docs with setup, benefits, and troubleshooting; add a test workflow to exercise both app and non‑app modes.

• Migration

  • Install the Continue Agent app and grant repo access; add CONTINUE_APP_PRIVATE_KEY (secret) and CONTINUE_APP_ID (variable).
  • Or set use_github_app: false to keep using github-actions[bot].
  • Ensure workflow permissions: contents read; pull-requests and issues write.

[dosubot]

Related Documentation

No published documentation to review for changes on this repository.
Write your first living document

^{How did I do? Any feedback?}  

[github-actions]

This PR introduces GitHub App authentication support for Continue's code review actions and adds a new base-review action for zero-config setup. The implementation is solid but has several areas that need attention, particularly around error handling, security practices, and script robustness.

---

💡 To request a new detailed review, comment @continue-detailed-review

[github-actions]

⚠️ AI review completed but no review output was generated. Check the action logs for details.

---

💡 To request a new review, comment @continue-general-review

[github-actions]

⚠️ AI review completed but no review output was generated. Check the action logs for details.

---

💡 To request a new review, comment @continue-general-review

[github-actions]

This PR introduces a GitHub App integration for Continue Agent reviews and adds a new base-review action for zero-config setup. While the implementation is generally good, there are several areas that need attention: security improvements for error handling, consistency in naming conventions, better user guidance, and some potential edge cases in the review logic.

---

💡 To request a new detailed review, comment @continue-detailed-review

[github-actions]

Code Review Summary

✅ Strengths

• GitHub App Integration: Excellent implementation of GitHub App support for better bot identity and enhanced rate limits
• Zero-Config Option: New base-review action provides a simplified setup experience with sensible defaults
• Improved Token Management: Proper handling of token precedence (app token > provided token > default token)
• User Experience: Helpful bot messages when GitHub App is not installed, guiding users through setup
• Documentation: Comprehensive README updates with clear setup instructions and troubleshooting guide
• Flexibility: Actions support both with and without GitHub App, giving users choice

⚠️ Issues Found

High

• Branch Reference Issue: The base-review action references @bdougie/continue-agent branch instead of a stable reference. This could break when the branch is deleted or renamed.

Medium

• Missing Input Validation: The new use_github_app input is documented in README but not implemented in the actual action files
• Inconsistent Token Handling: The base-review action doesn't use the token management pattern from general/detailed review actions
• Security Consideration: Storing app ID as a variable instead of a secret may expose it unnecessarily (though not critical)

Low

• TODO Comments: Both general and detailed review actions contain TODO comments about consolidating into a single action - these should be tracked as issues
• Hardcoded Values: Base-review action hardcodes continue-org: "continuedev" and continue-config: "continuedev/review-bot" which limits flexibility

💡 Suggestions

• Single Entry Point: Consider implementing the TODO suggestion to create a unified @continue-agent mention handler that intelligently routes to general or detailed review
• Configuration Inheritance: Allow base-review to accept optional org/config inputs while maintaining zero-config defaults
• Error Handling: Add validation for GitHub App credentials format before attempting to generate token
• Testing: Add workflow tests to verify both GitHub App and non-App paths work correctly
• Migration Guide: Consider adding a migration section for users moving from existing review actions to the new base-review

🚀 Overall Assessment

COMMENT

This PR successfully implements GitHub App integration for Continue's code review actions, providing a better user experience with branded bot identity and improved rate limits. The zero-config base-review action is a great addition for quick setup. However, the branch reference issue should be fixed before merging, and the missing use_github_app input implementation needs to be addressed. The overall architecture is sound and the documentation is thorough.

---

💡 To request a new review, comment @continue-general-review

[bdougie]

✅ Review Comments Addressed

Thank you for the thorough reviews! I've addressed all the major concerns raised:

🔧 Changes Made:

1. Fixed Configuration Flexibility (High Priority)

   • Added continue-org and continue-config as configurable inputs to base-review action
   • Maintained zero-config defaults (continuedev and continuedev/review-bot)
   • Users can now customize their review configuration while keeping the simple setup option

2. Added Security/Authorization Checks (High Priority)

   • Added permission validation for PR authors and commenters
   • Only OWNER, MEMBER, or COLLABORATOR can trigger reviews
   • Prevents unauthorized users from triggering reviews

3. Fixed Branch Reference (High Priority)

   • Changed action reference to @main instead of @bdougie/continue-agent
   • This prevents breakage when the feature branch is deleted after merge

4. Added GitHub App Credential Validation (Medium Priority)

   • Validates that both app-id and app-private-key are provided together
   • Shows warning if only one is provided
   • Helps users understand configuration requirements

5. Improved Token Management (Medium Priority)

   • Standardized token handling across all actions
   • Consistent fallback chain: provided token → app token → default token
   • All actions now support the same authentication patterns

6. TODO Comments (Low Priority)

   • Kept TODO comments as they represent valid future improvements
   • Will be addressed in a follow-up PR to consolidate actions into a single intelligent handler

📊 Summary:

The base-review action now provides the best of both worlds:

• Zero-config by default (just needs CONTINUE_API_KEY)
• Fully configurable for advanced users who need custom settings
• Secure with proper authorization checks
• User-friendly with helpful error messages and setup guidance

All three actions (base-review, general-review, detailed-review) now follow consistent patterns for authentication and configuration, making the codebase more maintainable.

Ready for final review! 🚀