PR Review Best Practices and Automation
Learn PR review best practices, human vs AI code review, and how automation improves security, quality, and velocity without sacrificing judgment
The tech industry would be far more harmonious if we could all adopt the radical composure AI shows when faced with blunt feedback. Sadly, that's not the case, and we as developers (whether we want to admit it or not) are attached to the code we create. There are millions of different ways to write code; your PR may not be the most effective option. And that's ok! The collective feedback loop was exactly why Pull Requests were created.
To:
- Ensure code quality and security.
- Provide new sets of eyes on code.
- Create a paper trail of edits.
We know there are tons of times when we can get lazy and just submit the PRs without reviewing, but we are seeing hackers and "trusted contributors" change their tactics daily. Just in 2024, if Andres Freund, a principal software engineer at Microsoft, had not been one of the diligent ones and discovered a simple backdoor just weeks before it was included in the latest version of Debian and Red Hat, we'd have serious issues on our hands.
This is why we check, check, and check our code regularly through pull requests. Having new pairs of eyes on code and different angles means a better experience for users, as well as ensuring security.
If you are unsure what a Pull Request is, you've come to the right place. We will deep dive into what PRs are and how to do them correctly.
What is a Pull Request?
A pull request is a formal proposal to merge code changes from one branch into another within a Git repository. In GitHub, this mechanism serves as the primary interface where developers submit their work for review before it enters the main codebase. The pull request contains the diff of all changes, a title, a description, and a threaded discussion space where reviewers can comment on specific lines of code.
When a developer opens a pull request, they are asking their team to evaluate whether the proposed changes meet the project's standards. The pull request becomes a living document that captures the entire conversation around a set of changes. Every comment, suggestion, and approval lives in that thread, creating an auditable record of how and why code entered the repository.
A developer creates a feature branch, commits their changes, and pushes that branch to the remote repository. They then open a pull request targeting the destination branch, typically main or develop. Reviewers receive notifications, examine the changes, and leave feedback. The author addresses that feedback with additional commits. Once reviewers approve and all CI checks pass, the pull request merges. For more information/ a more detailed visualization of the process, here is a good resource.
We will talk more about how Tembo.io handles pull requests later on, but you can see how many steps a Pull Request workflow can take. Tembo is able to work within this workflow by participating directly in pull requests as an AI agent. So the next time your docket gets filled, let Tembo take over some of those "quick fixes" PRs.
Benefits of Pull Request Reviews
Pull request reviews exist because code quality cannot rely on the author alone. When we write code, we develop blind spots. We understand our own logic so well that we miss its gaps. We remember the context that led to a decision, so we forget to document it. A reviewer approaches the code without these assumptions and catches what we cannot see. The pull request review is where we transform individual work into team-verified output.
Defect Detection
- With PR review: A reviewer notices that our null check happens after we already dereferenced the object. We fix it before merging.
- Without PR review: The null pointer exception surfaces in production three weeks later during an edge case we never tested.
Knowledge Distribution
- With PR review: Three team members now understand the new payment integration because they reviewed the pull request and asked questions.
- Without PR review: Only the original author understands the payment integration. When they leave the company, the team inherits code nobody can maintain.
Consistency Enforcement
- With PR review: A reviewer points out that we used a different error-handling pattern than the rest of the module. We refactor to match the existing convention.
- Without PR review: The codebase accumulates five different error handling patterns. New developers cannot determine which one to follow.
Security Verification
- With PR review: A reviewer questions why we disabled input validation for this endpoint. We realize we left debug code in place and removed it.
- Without PR review: The unvalidated endpoint ships to production. An attacker discovers it six months later.
Accountability and Quality
- With PR review: We add meaningful variable names and inline comments because we know a teammate will read this code tomorrow.
- Without PR review: We ship unknown variable names and no comments because it works.
AI-Generated Code Verification
- With PR review: A reviewer catches that the AI-generated function duplicates logic already present in our utility module. We refactor to use the existing implementation.
- Without PR review: We now maintain two implementations of the same logic. They drift apart over time and produce inconsistent behavior.
Whether a human or AI agent reviews a pull request, the above benefits are applicable to both (for the most part). However, using human and AI review together as part of the code review process is one of the most efficient things the development teams can do. Let's take a look at the pros and cons of both approaches.
Pros and Cons of Human Code Review
In the age of AI, there is no doubt that at least some of our code is reviewed using AI. Though pure human review is an absolute necessity when ensuring your code is up to code (no pun intended).
We rely on other human reviewers to be the gatekeepers of our repositories. While automation tools and CI pipelines catch syntax errors, we, the people writing said code, understand the intent behind the code. However, we are not perfect; we are not machines. We are subject to burnout and time constraints that create bottlenecks in deliverable timelines.
Understanding where we excel and where we struggle is critical for implementing a tried and true workflow. This distinction helps teams decide which tasks belong to engineers and which tasks are better handled by an AI agent like Tembo.
| Pros of Human Review | Cons of Human Review |
|---|---|
| Contextual Nuance: Humans understand the business intent behind the code. | High Latency: Pull requests sit idle for hours or days. |
| Architectural Integrity: Senior engineers identify when a change violates system design principles. | Cognitive Fatigue: Reviewer attention degrades rapidly on large diffs. |
| Knowledge Transfer: The review process spreads domain knowledge across the team. | Inconsistency: Feedback often varies based on the specific reviewer and their current mood (we're all guilty of this). |
| Mentorship: Reviews serve as a primary teaching mechanism where experienced developers guide junior team members toward better patterns. | High Opportunity Cost: Engineers spend expensive time catching trivial syntax errors or style violations instead of focusing on complex logic. |
Pros and Cons of AI Code Review
If you are new to the game of AI code review tooling and agents, we posted a great link here that walks through a few tools.
If you are not new to the game of AI code review tooling and agents, then you have probably experienced firsthand the amazing efficiency gains AI can help with. On the other side of the coin, you probably have experienced the intense pain of certain aspects of AI code review tools. Much like we spoke about previously, just like you put emphasis on reviewing code, you need to make sure you review the AI tooling behind the scenes.
AI reviewers are not a replacement for human judgment. They lack a true understanding of business intent, product nuance, and architectural trade-offs that are often implicit rather than explicit in code. AI can surface potential issues, suggest refactors, and even implement fixes, but it cannot fully evaluate whether a change is right for the system as a whole. This is where AI allows teams to delegate mechanical review tasks to AI agents like Tembo, while reserving human attention for decisions that require experience or intuition.
| Pros of AI Code Review | Cons of AI Code Review |
|---|---|
| Low Latency: Feedback is generated immediately when a pull request is opened or updated. | Limited Intent Awareness: AI infers intent from code and history but cannot fully understand business goals or unstated requirements. |
| Consistency at Scale: Rules, style guides, and best practices are applied uniformly across all repositories and teams. | False Positives: AI may flag issues that are technically correct but contextually unacceptable, creating review noise. |
| Fatigue-Free Analysis: AI maintains the same level of scrutiny on large diffs and repetitive changes without attention loss. | Shallow Architectural Judgment: AI struggles to evaluate novel designs or intentional architectural trade-offs. |
| Automation of Trivial Work: Excels at catching syntax errors, formatting issues, security smells, and common logic bugs. | No Mentorship: AI provides suggestions but does not facilitate discussion, teaching, or shared team understanding. |
Best Practices for Code Review
High-quality pull request reviews require more than careful readers and passing CI checks. It's being able to balance context, timelines, and potentially politely telling someone their code is bad. To ensure the best of the best comes out in your code, much like the principles/checks and balances you put in your code, you should have the same best practices in code review.
Treat Pull Request Review as a Continuous Process
Pull request review should begin the moment a pull request is opened, not when a human reviewer finally has time to respond. Delayed feedback introduces context switching, increases cycle time, and raises the likelihood of mistakes.
Enforce Automatic Standards
One of the most common failure modes of pull request review is inconsistent enforcement. Style violations, error handling patterns, and security practices are often applied unevenly, depending on who is reviewing and how much time they have.
Keep Pull Requests in Scope
Effective code review depends on pull requests that are scoped, understandable, and reviewable. Large, unfocused pull requests increase cognitive load and reduce review quality.
Prioritize
Syntax errors, obvious logic bugs, and missing tests shouldn't be the primary focus of a human review. These issues are predictable and well-suited for automation. We should, of course, take these into account, but leave most of the work to tools like Tembo.
Preserve Human Judgment Where It Matters Most
AI agents excel at consistency and speed, but they do not replace human ownership of a codebase. Decisions involving business logic, architectural direction, and long-term maintainability still require experienced engineers.
Make Review Feedback Clear and Actionable
Comments should reference specific lines, explain why a change is needed, and, when possible, suggest a concrete improvement.
Using Tembo for PR Reviews
At Tembo, we love automation and streamlining developer workflows. As a result, one of the first automations we created was for code review. The PR review automation allows you to provide specific review instructions and refine them based on defined triggers or schedules. You can also specify which repositories the automation applies to and select the agent/model you'd like to execute the task. By using one of our predefined templates, you can have a fully customized code review automation set up in a matter of minutes that follows our heavily researched (and battle-tested) best practices.
Ensuring Best Practices Going Forward
To make sure events like the one Andres prevented earlier in this blog, having PR principles and best practices baked into your workflows is key. Rather than catching errors after the fact, having a solid "If x, then y" boolean way of preventing errors will make sure the code your team presents is both well done and scoped to your project.
As development speeds increase, a hybrid approach to code review is essential:
- Human Reviewers provide critical contextual nuance, mentorship, and architectural oversight that AI cannot replicate.
- AI Agents like Tembo eliminate bottlenecks by autonomously handling "trivial" tasks like syntax errors, formatting, and repetitive logic fixes.
By delegating mechanical checks to automation, we can focus on intent and design. This will ultimately establish consistent PR principles. This, paired with AI verification, ensures that your codebase remains secure, maintainable, and robust against modern security threats and coding standards.