Bring your own model — $0 per seat, not $40/mo

Code review that runs
inside your own CI.

An open-source agentic PR reviewer as a single GitHub Action. It runs on your runner, reviews with the model you already pay for, and posts diff-anchored findings back — no SaaS, no per-seat bill.

On the GitHub Marketplace · v0.2.0
$0
per seat
1 file
to install
30+
providers & CLIs
MIT
open source
.github/workflows/jbot-review.yml
name: J-Bot Code Review
on:
  pull_request: { types: [opened, synchronize, reopened] }

permissions:
  contents: read
  pull-requests: write

jobs:
  review:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v7
        with: { fetch-depth: 0 }
      - uses: pgup-ai/jbot-review-action@v0
        with:
          provider: ${{ vars.JBOT_REVIEW_PROVIDER || 'opencode' }}
          opencode-api-key: ${{ secrets.OPENCODE_API_KEY }}
          github-token: ${{ secrets.GITHUB_TOKEN }}

Reuse a subscription you already pay for

OpenCode gateways

OpenCode Zenfree models OpenCode Go Claude OpenAI Gemini DeepSeek Z.ai Qwen Kimi MiniMax MiMo Grok Nvidia OpenRouter Fireworks Cohere Together Baseten Cerebras Vercel

CLI subscriptions

Codex Cursor Devin Cline Kilo Grok Build Command Code Qoder

Or start at $0 — free models

DeepSeek V4 FlashOpenCode Hunyuan hy3OpenCodeKiloClineOpenRouter Nemotron 3 UltraOpenCodeKiloOpenRouter North Mini CodeOpenCodeKiloOpenRouter MiMo v2.5OpenCode

See a real review

Diff-anchored findings.
Verified before they post.

A second model checks every blocking finding first — so what lands on your PR is signal, not a wall of nits.

jbot-review bot · reviewed 2 files · 40s ago
src/auth/session.ts
@@ -41,7 +41,9 @@ export async function createSession(-  const token = jwt.sign(payload, SECRET)+  const token = jwt.sign(payload, SECRET, {+    algorithm: req.headers['x-alg'] || 'HS256'+  })
● Blocking security · verified

Attacker-controlled JWT algorithm. The signing algorithm is read from a request header, so a caller can force none or swap to a key-confusion attack. Pin the algorithm server-side:

jwt.sign(payload, SECRET, { algorithm: 'HS256' })
Needs changes before approval 1 blocking · 2 nits demoted

Full base…head diff, sharded for speed · nits demoted, false positives dropped

See a real J-Bot review on a live pull request →

How it works

One file of setup.
Zero servers to run.

A Docker container action. GitHub runs it on your runner, reviews your checkout read-only, and posts back. The diff goes only to the model you bring — never a third-party reviewer.

01

Add the workflow

Commit one YAML file to .github/workflows and add an OpenCode gateway key or CLI credential as a repo secret.

secrets: OPENCODE_API_KEY
02

It runs in your CI

On each PR, Actions starts your selected backend in the container and reviews the full diff with least-privilege permissions.

contents: read · pull-requests: write
03

Verified reviews post

A second model verifies each blocking finding, then diff-anchored comments and a verdict land on the PR.

good to go from jbot-review

Features

Enterprise-grade review.
Zero lock-in.

Your key, your runner

Bring the gateway key or CLI credential as a repo secret. The diff goes only to the model you chose, on your own account.

No added J-Bot bill

Use OpenCode Zen free models, reuse a CLI seat, or pick a provider model on your own account. J-Bot adds no per-review bill.

Native to GitHub CI

A standard container action in your own CI. No SaaS account and no third-party reviewer in the loop.

Tune depth and cost

Start with the defaults, then adjust shards, review passes, and finding verification as your repositories grow.

Reads your house rules

Discovers AGENTS.md, REVIEW.md, .coderabbit.yaml, greptile.json and Cursor rules, then reviews against them.

Checks current docs

When a PR touches an external API or SDK, Context7 verifies the change against live documentation.

Ownership & cost

A reviewer you own,
not a service you rent.

Hosted SaaS reviewers

rented
~$40 / mo · per seat
Your code is uploaded to the reviewer’s own servers and model.
Per-seat pricing that scales with your team, not your usage.
Locked to the models the vendor chose for you.
Closed pipeline you cannot read, audit, or fork.

J-Bot Review

owned
$0 / seat · any team size
Runs in your runner. The diff goes only to the model you pick, on your own key.
Can be free with your provider’s free models, or reuse a CLI seat you already pay for.
Any provider, model, or supported CLI. Swap with one repo variable.
Open action you can pin, audit, and self-host anywhere.

Full comparisons: CodeRabbit · Greptile · Qodo · Cubic

GitHub App · private beta

The same reviewer,
managed for you.

The Action stays the no-server way to run J-Bot Review. The GitHub App runs the same reviewer from a dashboard instead: install it on a repo, add your own model keys — encrypted at rest, shown as last-4 only — and pull requests get reviewed with no workflow file to maintain. Reviews execute on ephemeral GitHub Actions runners.

Dashboard config: primary + verification model, a severity gate, PR triggers — or comment @jbot review
Per-run review history — duration, cost, tokens — with retry
Usage and quota meters per key

FAQ

Questions, answered.

Can I use my Claude, Codex, or Cursor subscription for automated code review?

Yes for Codex (a ChatGPT Plus/Pro seat), Cursor, Devin, Cline, Kilo, Command Code, Grok Build, and Qoder: J-Bot Review drives those coding-agent CLIs inside your own GitHub Actions, so a seat you already pay for reviews every pull request. Claude runs through your own Anthropic API key or an OpenCode gateway instead — a Claude Pro/Max seat is not a supported CI credential today. See the CLI subscription guide for per-CLI setup.

Is J-Bot Review free?

The action itself is MIT-licensed open source and adds no per-seat or per-review charge. You pay only for the model you bring — with OpenCode Zen free models or a CLI seat you already pay for, J-Bot adds $0 on top of your normal CI minutes.

Does my code get uploaded to a third-party service?

Run as the Action, there is no J-Bot server and no hosted reviewer in the loop, and the checkout never leaves your runner. What does leave is the diff, sent only to the model provider you configure, on your own key.

Is there a hosted or GitHub App version of J-Bot Review?

Currently in private beta. The GitHub App runs the same reviewer from a dashboard instead of a workflow file: add your own model keys (encrypted at rest), configure models, a severity gate, and triggers, and see review history and per-key usage meters. Reviews execute on ephemeral GitHub Actions runners. The Action remains the no-server option and is not being replaced.

How is J-Bot Review different from CodeRabbit or Greptile?

Hosted reviewers run your code through their own servers and charge per seat (about $40 per month). J-Bot Review is an open-source GitHub Action that runs in your CI with any model you choose, at $0 per seat. It also reads existing .coderabbit.yaml and greptile.json rule files, so switching keeps your house rules. Full comparisons: CodeRabbit · Greptile · Qodo · Cubic.

Which models and providers does J-Bot Review support?

30+ backends. OpenCode gateways cover OpenCode Zen free models plus Claude, OpenAI, Gemini, DeepSeek, Grok, Qwen, Kimi, MiniMax, OpenRouter, Fireworks, Cohere, Together, and more. CLI subscription backends cover Codex, Cursor, Devin, Cline, Kilo, Command Code, Grok Build, and Qoder. Switch backends with one repo variable.

Does it work with private repositories?

Yes. It is a standard container action: if your repository runs GitHub Actions, it can run J-Bot Review. Default permissions are least-privilege — contents: read, pull-requests: write — and your code never leaves the runner except to the model you configured.

Put it on your
next pull request.

One YAML file, one secret, and an agentic reviewer is reading every PR — on your runner, with $0 added by J-Bot.

- uses: pgup-ai/jbot-review-action@v0