Home / Guides / Cursor

Cursor code review in GitHub Actions

Updated July 4, 2026 · applies to pgup-ai/jbot-review-action v0

Your Cursor subscription can double as a PR reviewer. J-Bot Review is an MIT-licensed GitHub Action that runs the Cursor CLI inside your own CI. Setup is one API key from the Cursor dashboard and one workflow file; after that, every pull request gets verified, diff-anchored findings. Cursor stays in read-only plan mode the whole time, and J-Bot adds nothing to the bill.

Other seats work too

Cursor isn't special-cased here. Codex (ChatGPT Plus/Pro), Devin, Cline, Kilo, Command Code, Grok Build, and Qoder wire up the same way, and the CLI subscription guide has the full table of providers, secrets, and where each credential lives.

Setup in three steps

  1. Add the secret. Create an API key in the Cursor dashboard under Integrations (keys look like crsr_…) and save it as the repository secret CURSOR_API_KEY (Settings → Secrets and variables → Actions).
  2. Commit the workflow. Add the file below as .github/workflows/jbot-review.yml.
  3. Open a pull request. The Cursor CLI reviews the full base…head diff on your runner and posts review comments with a verdict; blocking findings are adversarially verified first, nits demoted.
.github/workflows/jbot-review.yml
name: J-Bot Code Review
on:
  pull_request: { types: [opened, reopened, ready_for_review, synchronize] }

concurrency:
  group: jbot-review-${{ github.event.pull_request.number }}
  cancel-in-progress: true

permissions:
  contents: read
  pull-requests: write
  issues: write        # PR reactions use the issues API
  checks: read

jobs:
  review:
    if: github.event.pull_request.draft == false
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v7
        with: { fetch-depth: 0 }
      - uses: pgup-ai/jbot-review-action@v0
        with:
          provider: cursor
          cursor-api-key: ${{ secrets.CURSOR_API_KEY }}
          github-token: ${{ secrets.GITHUB_TOKEN }}

What the review covers

Cost & privacy

FAQ

Can I use my Cursor subscription for automated code review?

Yes. J-Bot Review drives the Cursor CLI (cursor-agent) inside your own GitHub Actions, authenticated with an API key from your Cursor account — so the seat you already pay for reviews every pull request. Models are managed by your Cursor account, and J-Bot itself adds no charge.

Where does the CURSOR_API_KEY secret come from?

Create an API key in the Cursor dashboard under Integrations — keys look like crsr_… — and save it as a repository secret named CURSOR_API_KEY (Settings → Secrets and variables → Actions). Store it only as a secret, never as a variable.

Can Cursor modify my code from CI?

No. The backend runs in read-only plan mode (cursor-agent --mode plan), the workflow's only write scopes are PR comments and reactions (contents stays read-only), and on pull_request events GitHub strips secrets from fork PRs so outside contributors cannot use your seat.

Related