svelte-autopilot Svelte Themes

Svelte Autopilot

AI code review specialized for Svelte 5 & SvelteKit, on every pull request.

Download

๐Ÿช„ Svelte Autopilot

AI code review specialized for Svelte 5 & SvelteKit โ€” on every pull request.

Generic review bots don't know that a $effect setting derived state should be a $derived, that importing $env/static/private into a component leaks a secret to the browser, or that touching window at the top level crashes SSR. Svelte Autopilot does. It reads each PR's diff and leaves a focused review of the issues that actually matter for Svelte 5 and SvelteKit.

Two ways to use it

  • ๐Ÿ†“ Free GitHub Action (this repo) โ€” bring your own OpenAI key. Setup below.
  • โšก Hosted Pro โ€” no API key, no CI setup, unlimited reviews. Install the app โ†’ ยท Dashboard

Quick start

  1. Add your OpenAI key as a repository secret named OPENAI_API_KEY (Settings โ†’ Secrets and variables โ†’ Actions).
  2. Create .github/workflows/svelte-review.yml:
name: Svelte Autopilot

on:
  pull_request:

permissions:
  contents: read
  pull-requests: write

jobs:
  review:
    runs-on: ubuntu-latest
    steps:
      - uses: isabellehuecloser-ctrl/svelte-autopilot@v0
        with:
          api-key: ${{ secrets.OPENAI_API_KEY }}

No checkout needed โ€” the diff is read through the GitHub API. Open a PR and the bot posts (and keeps updating) a single review comment.

What it catches

Runes & reactivity

  • $effect used to compute derived state (should be $derived)
  • effects that loop by writing state they read
  • destructured $state losing reactivity
  • non-reactive let in .svelte.ts modules
  • mutating non-$bindable props

SvelteKit

  • secrets / private data returned from a universal load (+page.ts) instead of +page.server.ts
  • $env/static/private imported into client-reachable code (leak)
  • window / document / localStorage at module top level (SSR crash)
  • form actions, use:enhance, and invalidate misuse

Security & a11y

  • {@html} on unsanitized input (XSS)
  • missing alt, label association, keyboard handlers

Inputs

Input Required Default Description
api-key yes โ€” OpenAI API key. Pass via a repository secret.
model no gpt-4o OpenAI model. gpt-4o for best accuracy; gpt-4o-mini to cut cost.
github-token no workflow token Token used to read the PR and post the review.
max-files no 20 Max changed files reviewed per run.
include no **/*.svelte,**/*.ts,**/*.js,โ€ฆ Comma-separated file extensions to review.

Outputs

Output Description
findings-count Number of review findings reported.

How it works

  1. Reads the pull request's changed files and their diffs via the GitHub API.
  2. Filters to Svelte / SvelteKit source files (skips deps, build output, lockfiles).
  3. Sends the diffs to an LLM with a Svelte-5-specialized reviewer prompt.
  4. Posts one grouped review comment, updated in place on every push.

You bring your own OpenAI key, so the review runs on your account โ€” no diff passes through any third-party service besides your chosen AI provider.

Roadmap

  • Inline review comments on exact diff lines
  • Hosted Pro version (no API key, usage dashboard)
  • Repo-level config (.svelte-autopilot.json): severity threshold, custom rules
  • Additional providers (Anthropic)

License

MIT ยฉ Isabelle Hue

Top categories

tailwinddaisyuiadmin templatepopupmdsvexportfolioblogformecommerceuicarouselauthdarkseoimagerouting
Loading Svelte Themes