lupe
Reference

GitHub Action reference

Complete inputs, outputs, secrets, and versioning for the lupe GitHub Action.

The lupe GitHub Action runs an AI code review on your pull requests using your own model token. It reads the PR diff from the GitHub API, posts a single batched review with inline comments, and maintains one sticky summary comment for incremental re-reviews.

For a step-by-step setup, see the GitHub Action getting-started guide.

Usage

# .github/workflows/lupe.yml
name: lupe
on:
  pull_request:

permissions:
  contents: read # read the repo
  pull-requests: write # post the review + summary

jobs:
  review:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: gigadrive/lupe/apps/action@v0 # moving major alias; or pin an immutable @v0.1.0
        with:
          provider: anthropic
          profile: chill
        env:
          ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}

The checkout needs no special fetch-depth: lupe reads the diff from the GitHub API, and incremental re-reviews key off the last-reviewed SHA stored in the sticky summary comment rather than local git history.

Trigger on pull_request, not pull_request_target. Running with a writable token against an untrusted fork checkout is a documented RCE / secret-exfiltration vector β€” see security and privacy.

Inputs

Most inputs default to empty, which means "fall back to your .lupe.yaml (or the built-in default)". When set, an input overrides the corresponding config key. See configuration for the file-based equivalents.

InputDefaultDescription
github-token${{ github.token }}Token used to read the PR and post review comments.
provider(empty β†’ anthropic)Model provider: anthropic | openai | google | bedrock | openai-compatible | gateway. Overrides .lupe.yaml; falls back to anthropic.
models(empty)JSON map of task→model id, e.g. {"review":"claude-opus-4-8"}. Overrides .lupe.yaml.
profile(empty β†’ chill)Review profile: chill | assertive. Overrides .lupe.yaml; defaults to chill.
base-url(empty)Custom base URL (for openai-compatible / gateway).
max-files(empty)Maximum number of changed files to review.
max-findings(empty)Maximum number of findings to keep.
confidence-threshold(empty)Global confidence floor (0..1) for keeping a finding. Overrides .lupe.yaml.
suppress-advisory(empty)Drop advisory (style/docs/test/maintainability) findings entirely: true | false.
min-severity-to-comment(empty)Only post inline comments for findings at/above this severity (rest stay in the summary): critical | high | medium | low | info.
thoroughfalseUse the strongest model and extra passes.
max-chunk-tokens(empty)Max serialised-diff tokens per review pass (large-PR map-reduce).
max-chunks(empty)Hard ceiling on review passes for a large PR. Overflow is reported, not silently dropped.
review-concurrency(empty)How many large-PR review passes to run concurrently.
max-cost-usd(empty)Hard USD ceiling for a review. Over-budget runs fail before/mid the model calls rather than posting.
skip-drafttrueSkip draft pull requests.
allow-untrusted-checkoutfalseOpt in to running on pull_request_target. Only set true if the job does NOT check out untrusted PR code; the review runs tool-less regardless.
fail-on-severitynoneFail the job if any finding is at/above this severity: none | critical | high | medium | low.

Outputs

OutputDescription
findingsNumber of findings posted.
cost-usdApproximate USD cost of the review.
skippedNumber of changed files left unreviewed because the chunk ceiling was reached.

Required secrets

The only required secret is your provider key. GitHub access uses the built-in GITHUB_TOKEN (wired through github-token), so you do not need to create a personal access token.

ProviderSecret / env var
anthropicANTHROPIC_API_KEY
openaiOPENAI_API_KEY
googleGOOGLE_GENERATIVE_AI_API_KEY
gatewayAI_GATEWAY_API_KEY

Pass the key through the step's env, as shown in the usage snippet. See providers and models for the full provider list and how to select models.

Versioning

Reference the action as gigadrive/lupe/apps/action at one of two kinds of ref:

  • @v0 β€” a moving major alias that always points at the latest 0.x release. While lupe is pre-1.0 the alias is @v0 (there is no @v1 yet).
  • @v0.1.0 β€” an immutable version tag, for reproducible pins.

The built bundle is attached to release tags, not committed to main: the release workflow builds the bundle and tags it as the immutable vX.Y.Z plus the moving vN alias. Because GitHub runs the action from the referenced git ref, consumers need no build step β€” and main stays free of build output. Do not reference @main.

On this page