Setting up an agentic GitHub Actions pipeline in 2025
May 2025
GitHub Actions pipelines in 2025 look different than they did two years ago. The addition of AI-powered tools at every stage of the development lifecycle means a CI/CD pipeline can now do a lot more than run tests and deploy. This is a tour of the tools worth adding to an agentic pipeline and how they fit together.
The layers of an agentic pipeline
Think of the pipeline in layers, from fastest to slowest and cheapest to most expensive:
- Static analysis — runs in seconds, catches syntax and type errors before tests
- Testing — unit and integration tests, the foundation
- Security scanning — secret detection, dependency vulnerability checks
- AI code review — catches logic errors and suggests improvements
- Documentation maintenance — keeps docs in sync with code changes
- Deployment — staging, then production
Each layer is a gate. Failures in earlier layers block later ones. AI tools live in layers 4 and 5 — they run after the mechanical checks pass.
AI code review
Code review automation has matured significantly. Tools like CodeRabbit, Greptile, and GitHub Copilot's review features can catch real bugs — not just style issues — by understanding the context of a change across the codebase.
The pattern that works: AI review runs as a non-blocking check on every PR. It posts comments but doesn't block merge. The review is input for the human reviewer, not a gate. Blocking merge on AI review creates frustrating false positives.
# .github/workflows/review.yml
name: AI code review
on:
pull_request:
types: [opened, synchronize]
jobs:
review:
runs-on: ubuntu-latest
steps:
- uses: coderabbitai/coderabbit-action@v2
with:
github_token: ${{ secrets.GITHUB_TOKEN }}Secret scanning
Every pipeline should scan for accidentally committed secrets before they reach the remote. gitleaks is the standard choice — fast, configurable, zero dependencies:
- name: Scan for secrets
uses: gitleaks/gitleaks-action@v2
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}This should be a blocking check. A secret in a commit is not recoverable — the only fix is rotation. Block merge if secrets are detected.
Documentation maintenance with DocDr
This is the stage that most pipelines skip and most teams regret. Code changes, documentation doesn't, and the gap grows over time.
DocDr slots into this layer: it reads the merged PR, compares the diff against your Markdown docs, and opens a draft PR with proposed documentation updates. It runs after merge (not during PR review) so it doesn't add latency to the developer workflow.
name: Documentation maintenance
on:
push:
branches: [main]
jobs:
docdr:
runs-on: ubuntu-latest
permissions:
contents: write
pull-requests: write
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 2
- uses: ianjamesburke/docdr@v1Dependency vulnerability scanning
Dependabot handles this for most repos — enable it in your repository security settings. For teams that want more control, trivy is a solid alternative that integrates cleanly into Actions:
- name: Scan dependencies
uses: aquasecurity/[email protected]
with:
scan-type: 'fs'
exit-code: '1'
severity: 'HIGH,CRITICAL'Putting it together
The full picture: static analysis and tests run on every PR. Secret scanning blocks merge if anything is found. AI code review posts non-blocking comments. After merge to main, documentation maintenance runs as a background job and opens a draft PR if updates are needed.
This pipeline catches most classes of problems automatically, without requiring developers to remember to do anything beyond writing code and reviewing the occasional AI-generated suggestion. The human stays in the loop at every decision point — the automation handles detection and drafting, not final decisions.