Home / Guides / Grok Build

Grok Build code review in GitHub Actions

Updated July 10, 2026 · applies to pgup-ai/jbot-review-action v0

The Grok account you already sign into can review your pull requests. J-Bot Review — an open-source (MIT) GitHub Action — drives Grok Build headlessly inside your own CI: grok login --device-auth once, one GROK_AUTH_JSON secret, one workflow file. Account auth is the preferred credential, an xAI API key the explicit fallback, and J-Bot adds $0 on top.

The seventh seat

Grok Build joins Codex (ChatGPT Plus/Pro), Cursor, Devin, Cline, Kilo, Command Code, and Qoder in the same one-secret pattern — the CLI subscription guide lines all eight up in one table.

Setup in three steps

  1. Copy the credential. Run grok login --device-auth locally, then save the whole contents of ~/.grok/auth.json as the repository secret GROK_AUTH_JSON (Settings → Secrets and variables → Actions). The secret is the entire file — the same whole-file pattern as Codex, Cline, and Kilo.
  2. Commit the workflow. Add the file below as .github/workflows/jbot-review.yml.
  3. Open a pull request. Grok Build reads the full base…head diff and posts diff-anchored review comments with a verdict; blocking findings are adversarially verified first, nits demoted.
.github/workflows/jbot-review.yml
name: J-Bot Code Review
on:
  pull_request: { types: [opened, reopened, ready_for_review, synchronize] }

concurrency:
  group: jbot-review-${{ github.event.pull_request.number }}
  cancel-in-progress: true

permissions:
  contents: read
  pull-requests: write
  issues: write        # PR reactions use the issues API
  checks: read

jobs:
  review:
    if: github.event.pull_request.draft == false
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v7
        with: { fetch-depth: 0 }
      - uses: pgup-ai/jbot-review-action@v0
        with:
          provider: grok               # account auth; xai-api-key is the fallback
          grok-auth: ${{ secrets.GROK_AUTH_JSON }}
          github-token: ${{ secrets.GITHUB_TOKEN }}

Account auth first, API key second

Cost, privacy & what the session can't do

FAQ

Can J-Bot Review use my Grok subscription to review pull requests?

Yes — through Grok Build account auth. Run grok login --device-auth locally and save the whole contents of ~/.grok/auth.json as the repository secret GROK_AUTH_JSON; reviews then run on your Grok account. If you'd rather pay per token, an xAI API key (xai-api-key) works as the fallback credential.

What is the difference between provider: grok and provider: xai?

provider: grok drives the Grok Build CLI on your account auth; provider: xai keeps calling the xAI API directly with XAI_API_KEY, unchanged. Under provider: grok the API key is used only when account auth is absent — so an expired login fails loudly instead of silently switching the run to per-token API billing.

How locked down is the Grok Build review session?

It runs headless with edits, shell, MCP, web access, memory, and subagents disabled, in an empty read-only temporary workspace — repository Grok config, plugins, and hooks never execute. The diff is embedded in the review prompt (up to 512 KiB per shard); if a diff can't be carried whole, the main review refuses rather than posting partial coverage.

Related