Visor supports GitHub Checks API integration, allowing each configured check to appear as a separate check run in the GitHub PR interface with proper status reporting and issue annotations.
- Individual Check Runs: Each configured check appears as a separate GitHub check run
- Real-time Status Updates: Check runs show "in progress" while executing and complete with success/failure
- Issue Annotations: Issues are displayed as inline annotations on the PR files
- Failure Conditions: Support for custom failure conditions using
fail_ifexpressions (see Fail If) - Configurable: Can be enabled/disabled via action inputs or configuration
- Permission Handling: Gracefully handles insufficient permissions with helpful error messages
- uses: probelabs/visor@v1
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
# Enable/disable GitHub check runs (default: true)
create-check: 'true'
# Other Visor configurations...version: "1.0"
output:
github_checks:
# Enable/disable GitHub check runs (default: true)
enabled: true
# Create individual check runs per check (default: true)
# If false, creates a single combined check run
per_check: true
# Custom name prefix for check runs (default: "Visor")
name_prefix: "Visor AI"
steps:
security-audit:
type: ai
prompt: "Review for security vulnerabilities"
# Fail if critical issues found
fail_if: "criticalIssues > 0"
performance-review:
type: ai
prompt: "Analyze for performance issues"
# Fail if more than 2 error-level issues
fail_if: "errorIssues > 2"
# Global failure condition (applies to all checks)
fail_if: "criticalIssues > 0"Use fail_if expressions to define when checks should fail. For comprehensive documentation, see Fail If.
Primary context variables:
output: The current check's structured output (includesissuesarray and provider-specific fields)outputs: Map of dependency outputs keyed by check name
Legacy variables (backward compatibility):
totalIssues: Total number of issues foundcriticalIssues: Number of critical severity issueserrorIssues: Number of error severity issueswarningIssues: Number of warning severity issuesinfoIssues: Number of info severity issues
fail_if: "criticalIssues > 0" # Fail if any critical issues
fail_if: "errorIssues > 5" # Fail if more than 5 errors
fail_if: "totalIssues > 10" # Fail if more than 10 total issues
fail_if: "criticalIssues + errorIssues > 3" # Fail if critical + error > 3
fail_if: "output.error" # Fail if output contains error flagTo use GitHub Checks API, your GitHub token needs the checks:write permission:
The default ${{ secrets.GITHUB_TOKEN }} includes checks:write permission by default.
If using a PAT, ensure it has the following scopes:
repo(for private repositories)public_repo(for public repositories)
If using GitHub App authentication, ensure the app has:
- Repository permissions: Checks (Write)
The action provides outputs about the GitHub checks:
- name: Check Results
run: |
echo "Checks API Available: ${{ steps.visor.outputs.checks-api-available }}"
echo "Check Runs Created: ${{ steps.visor.outputs.check-runs-created }}"
echo "Check Run URLs: ${{ steps.visor.outputs.check-runs-urls }}"If the GitHub token lacks checks:write permission:
- A warning is logged
- GitHub checks are skipped
- PR comments continue to work normally
- The action does not fail
If GitHub API rate limits are hit:
- Individual check runs may fail
- Failed checks show appropriate error messages
- Other checks continue to execute
If GitHub API is unavailable:
- Check creation is retried
- Failures are logged but don't stop the review
- PR comments serve as fallback
name: Visor Code Review
on:
pull_request:
types: [opened, synchronize]
jobs:
review:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: probelabs/visor@nightly
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
config-path: '.visor.yaml'- uses: probelabs/visor@v1
with:
app-id: ${{ secrets.VISOR_APP_ID }}
private-key: ${{ secrets.VISOR_PRIVATE_KEY }}
config-path: '.visor.yaml'- uses: probelabs/visor@nightly
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
create-check: 'false' # Disable GitHub checks
comment-on-pr: 'true' # Still comment on PRGitHub restricts permissions for workflows triggered by external contributors from forked repositories for security reasons. This affects check runs but not PR comments.
Default behavior (pull_request trigger):
- ✅ Works for PRs from same repository (branch PRs)
- ❌ Check runs fail with 403 error for fork PRs
- ✅ PR comments work for all PRs (including forks)
- ✅ Visor gracefully falls back to comments only for forks
For fork PR support with check runs (use pull_request_target trigger):
- ✅ Works for both fork and branch PRs
- ✅ Check runs work for all PRs
⚠️ Security consideration: Workflow runs with write permissions
To enable check runs for external contributor PRs, change the workflow trigger:
name: Visor Code Review
on:
pull_request_target: # Instead of pull_request
types: [opened, synchronize, edited]
permissions:
contents: read
pull-requests: write
issues: write
checks: write
jobs:
review:
runs-on: ubuntu-latest
steps:
# Explicitly checkout PR code (not base branch)
- uses: actions/checkout@v4
with:
ref: ${{ github.event.pull_request.head.sha }}
- uses: probelabs/visor@v1
with:
# ... your configurationKey differences:
- Trigger:
pull_request_targetinstead ofpull_request - Checkout: Must specify
ref: ${{ github.event.pull_request.head.sha }}to analyze PR code - Security: Workflow definition comes from base branch (protected from malicious modifications)
When using pull_request_target:
✅ Safe (Visor's approach):
- Workflow file is from base branch (can't be modified by PR)
- Only analyzes code (read-only operation)
- Uses controlled AI providers with API keys from secrets
- Comments and checks are the only write operations
- Don't execute arbitrary code from the PR (scripts, dependencies)
- Don't use
npm installif package.json is modified by PR - Don't run untrusted build commands
If check runs fail (403 error), Visor automatically:
-
Logs clean error message:
⚠️ Could not create check run for security: Resource not accessible by integration 💬 Review will continue using PR comments instead -
Continues review: All checks run normally
-
Uses PR comments: Full review posted as comment
-
Fails if needed: Action still fails if critical issues found
No code changes needed - fallback is automatic.
- Verify token has
checks:writepermission - Check action logs for permission errors
- Ensure
create-check: 'true'(default) - Verify configuration
output.github_checks.enabled: true - For fork PRs: Use
pull_request_targettrigger (see Fork PR Support)
- Review failure conditions in configuration
- Check issue severity counts in check run details
- Verify expressions use correct variable names
- Test failure conditions with sample data
- For fork PRs: This is expected with
pull_requesttrigger - usepull_request_targetor accept comment-only mode - For GitHub Apps: Check repository permissions include "Checks (Write)"
- For PATs: Ensure token has appropriate repository scopes
- For default token: Usually works out of the box for same-repo PRs
If you're currently using Visor with only PR comments:
- No action required: GitHub checks are enabled by default
- Customize check names: Set
output.github_checks.name_prefix - Add failure conditions: Define
fail_ifconditions for your checks - Test in staging: Verify checks appear correctly before production use
The integration is designed to be backward-compatible - existing configurations continue to work with the addition of GitHub checks.
- Fail If - Comprehensive guide to failure condition expressions
- Action Reference - Full GitHub Action inputs and outputs reference
- Troubleshooting - Common issues and solutions