ReviewSentry v0.3.4–v0.3.5-beta — Available Now

Two new releases of ReviewSentry are now live on the GitHub Actions Marketplace. Both came directly from running ReviewSentry on its own pull requests — the tool reviews every change we make to it, which means we are always using it, always finding ways to improve it, and always catching things worth fixing.

These releases are the result of a thorough audit of our own codebase: a security fix for Gemini users that we caught through that process, end-to-end testing that surfaced features that were documented but not fully wired, and targeted work to make ReviewSentry handle real-world PR sizes without truncating findings.

Security hardening

Gemini API key removed from URL

If you use ReviewSentry with the Gemini provider, your API key was previously passed as a ?key= query parameter in the request URL. Query parameters appear in server-side access logs and CDN traces — meaning the key could be logged in plaintext outside your control. The key is now passed via the X-goog-api-key request header, which is not logged. If you use the Gemini provider, rotate your API key.

Output delimiter hardened

The GITHUB_OUTPUT multiline delimiter used to be the static string AI_REVIEW_EOF. If an AI-generated review happened to contain that exact string on its own line, the output would be silently truncated — the rest of the review would be lost, the verdict would not be extracted, and the check would fail with a confusing error. The delimiter is now randomised using secrets.token_hex(8), which eliminates the collision risk entirely.

Better support for large PRs

Diff chunking

Set chunk_large_diffs: true in .github/reviewsentry.yml to review the full diff across multiple AI passes instead of truncating at a line limit. Each pass covers a batch of files; all findings are aggregated and the worst-case verdict applies. When chunking is off (the default), any files not reviewed due to the line limit are now listed in the comment — nothing is silently skipped.

Configurable token limit

The AI response token limit is now configurable via the max_tokens input, with a default of 4096 (previously hardcoded at 1024 in all adapters). Reviews no longer cut off mid-criterion on non-trivial pull requests.

Output splitting

Reviews that exceed 50,000 characters are automatically split at criterion-section boundaries and posted as sequential PR comments labelled (1/N), (2/N), and so on. The verdict always appears in the final comment.

Clearer, more honest output

Four-level severity

Findings now use four severity levels instead of three: 🔴 Critical (block merge), 🟠 High (fix before merge), 🟡 Moderate (a specific change is recommended), and 🔵 Low/Informational (observation only — no fix needed). Previously, 🟡 covered both Moderate and Low, making informational notes visually indistinguishable from genuine warnings. The 🔵 indicator now gives the AI a clear way to say "I noticed this, but the code is correct." A severity legend is included in the comment footer.

Configurable PR description length

The pr_body_chars input controls how much of the PR description is sent to the AI as context. The default is 2000 characters (previously hardcoded at 500). When the description is longer than the limit, the prompt includes the character count omitted so the AI does not flag the description as incomplete.

Bug fixes

Custom rules now fully implemented

The custom_rules input was wired in action.yml and documented in the README, but the review script never read the CUSTOM_RULES environment variable. Custom sensitive data patterns were silently ignored. They now work end-to-end: patterns are parsed and appended to the sensitive data criterion as project-specific High-severity terms.

Draft PR skip fixed

exit 0 inside a composite action run: step does not skip downstream steps — it only exits the current step. The draft skip logic has been replaced with output variables and if: condition guards on all downstream steps, which is the correct pattern for composite actions.

Updating

Update your pinned SHA to the latest v0.3.5-beta release:

cc0ff9f039146dcfa72f1d5e2460881213002cf4

The full release history with all SHAs is on the ReviewSentry product page. All releases are also on the GitHub Releases page.

If you are new to ReviewSentry, the product page covers setup, configuration, and the recommended PR workflow. ReviewSentry is MIT licensed, free to use, and works at zero additional cost with your existing GitHub account via GitHub Models.