[BX-8] New Feature: CoPilot first reviewer prompt#9
[BX-8] New Feature: CoPilot first reviewer prompt#9scottqueen-bixal wants to merge 18 commits intomainfrom
Conversation
…lines and comprehensive checklist
| - **Readability by others**: Can team members unfamiliar with this code understand it quickly? Is it written for humans first? | ||
| - **Author's intention**: Does the code do what the author intended, and is that intention good for both end-users and maintainers? | ||
| - **Complexity**: Is this no more complex than needed? Can it be understood quickly? Are developers likely to introduce bugs when modifying it? | ||
| - **Naming conventions**: Are variable, function, class, file, metric, and logger names sensible, readable, and consistent with existing codebase? |
There was a problem hiding this comment.
It's worth thinking about "Does the code follow coding conventions for the language used?" e.g. snake case vs camel case, indentation and whitespace, file/project organization.
We should prefer to use language/framework conventions in most cases, but also allow those to be overridden and say that consistency with the rest of the codebase is most important.
There was a problem hiding this comment.
addressed this in the ## Review Scope
| - Are there overly complex conditionals that could be simplified? | ||
| - Can nested loops/conditionals be flattened or extracted? | ||
| - Is there dead code or unused imports/variables? | ||
| - Are there opportunities to leverage language/framework features better? |
There was a problem hiding this comment.
One thing that I thought of for this section was "are we implementing something that already exists". Meaning could we bring in a library/package and eliminate code in our project.
However, being a gov contractor, there's probably a balance to be struck since every new dependency is a new security/maintenance item.
There was a problem hiding this comment.
Good considerations, added with focus on current codebase reuse.
You're right, there is value in an assessment of package replacements, but critical to not reproduce something that already exist in the current project.
| - Are edge cases and error conditions tested? | ||
| - Are tests readable and maintainable? | ||
| - Is test coverage adequate for the risk level? | ||
| - Are integration points properly tested? |
There was a problem hiding this comment.
The testing requirements should be flexible and maybe reference a repo-level document describing testing approach. For example a project/team may prefer low level unit tests with all integration points mocked, or a project/team may prefer integration level tests with less mocking. An acceptable code coverage level should be outlined, not every team wants to be at 100%. (The last 5-10% coverage is often a lot of work for questionable value)
There was a problem hiding this comment.
I think this is a case where a lead could "tweak" for their own references, but added a third item in ## Review Scope to generically address.
| - Are style guidelines followed (or enforced by linters)? | ||
| - Are there linting/type-checking errors that need addressing? | ||
| - For migrations: Is there a deployment plan documented? | ||
| - Is superfluous or experimental code being committed accidentally? |
There was a problem hiding this comment.
This is mostly duplicate of section 3
|
|
||
| You are a senior technical software engineer lead performing a thorough pre-commit code review. Your goal is to reduce risk and improve code quality through objective, actionable feedback while being polite, complimentary, and pragmatic. | ||
|
|
||
| ## Review Scope |
There was a problem hiding this comment.
Does the review happen one time, on every commit, on demand?
There was a problem hiding this comment.
I took pre-commit language out.
The two use cases are:
- to review the open doc
- Or, the context of highlighted code
I've outlined those in the testing steps above.
I could see a tool call here where users might be able to say
/code-review the last three commits
or
/code-review upstaged changes
Maybe these are more advanced for this first effort.
| ### Strengths | ||
| [Highlight 2-3 positive aspects - be genuinely complimentary] | ||
|
|
||
| ### Required Changes [h: high] |
There was a problem hiding this comment.
Consider if the reviewer should have a limit on the number of comments. We don't want to have a review seem harsh because of the volume of changes.
Maybe say something like "List all required changes, and then other comments up to 10(?) ordered by priority". The amount is just an example magic number.
… adding new refactoring questions
… condescending language
mejiaj
left a comment
mejiaj
left a comment
There was a problem hiding this comment.
Thanks for adding this, I'm excited to try it out! Added my comments from a brief review/test.
| - Provide objective, evidence-based feedback | ||
| - Avoid boasting about programming knowledge | ||
| - Remember: "Perfect is the enemy of good" - pragmatism over perfection | ||
| - Focus on reducing risk, not producing perfect code |
There was a problem hiding this comment.
praise: I like this approach on reducing risk, not perfect code.
| - **Write clear and specific comments**: Be precise about what needs to change and why | ||
| - **Include positive feedback**: Always highlight strengths and good decisions, not just issues | ||
| - **Be generous with code examples**: Show the suggested improvement in code when possible | ||
| - **Frame feedback as requests, not commands**: "Consider refactoring..." vs. "Refactor this..." |
There was a problem hiding this comment.
Suggestion: Something to think about for the future, we could use conventional comments to format the feedback.
So, suggestion: or issue (security) etc.
There was a problem hiding this comment.
trying this out
| - **Include positive feedback**: Always highlight strengths and good decisions, not just issues | ||
| - **Be generous with code examples**: Show the suggested improvement in code when possible | ||
| - **Frame feedback as requests, not commands**: "Consider refactoring..." vs. "Refactor this..." | ||
| - **Tie notes to principles, not opinions**: Reference standards, best practices, or project guidelines rather than personal preference |
There was a problem hiding this comment.
| - **Tie notes to principles, not opinions**: Reference standards, best practices, or project guidelines rather than personal preference | |
| - **Tie notes to principles, not opinions**: Reference standards, best practices, official guidance, or project guidelines rather than personal preference |
Suggestion: Not sure if it needs to be said explicitly, but something like prioritize the official source first.
| - **Start high-level, then work down**: Review architecture and design first, then dive into implementation details | ||
|
|
||
| **Feedback Priority** (Scale|LOC): | ||
| - **[l: low]** - Nitpick. Author may address but doesn't have to |
There was a problem hiding this comment.
| - **[l: low]** - Nitpick. Author may address but doesn't have to | |
| - **[l: low]** - Non-blocking. Author may address but doesn't have to |
Just rephrasing for additional clarity.
| ### 8. Security Review | ||
| - Apply all checks from `security.instructions.md`: | ||
| - Input validation and sanitization | ||
| - Authentication and authorization | ||
| - Data protection (encryption, secure storage) | ||
| - Dependency vulnerabilities | ||
| - Injection attack prevention (SQL, XSS, etc.) | ||
| - Proper error handling without exposing sensitive info |
There was a problem hiding this comment.
Copilot review feedback:
| ### 8. Security Review | |
| - Apply all checks from `security.instructions.md`: | |
| - Input validation and sanitization | |
| - Authentication and authorization | |
| - Data protection (encryption, secure storage) | |
| - Dependency vulnerabilities | |
| - Injection attack prevention (SQL, XSS, etc.) | |
| - Proper error handling without exposing sensitive info | |
| ### 8. Security Review | |
| - Apply all checks from `security.instructions.md`: | |
| - Input validation and sanitization (e.g., Are user inputs validated before database queries?) | |
| - Authentication and authorization (e.g., Are protected routes checking user permissions?) | |
| - Data protection (encryption, secure storage) | |
| - Dependency vulnerabilities | |
| - Injection attack prevention (SQL, XSS, etc.) | |
| - Proper error handling without exposing sensitive info (e.g., Are stack traces hidden in production?) |
There was a problem hiding this comment.
Since we are already referencing the security.instructions.md file this might be adding more prescriptive or redundancies as well as adding more tokens.
There was a problem hiding this comment.
Agreed, the more concise we can make it the easier it'll be to modify/maintain.
There was a problem hiding this comment.
Meta, but I used this prompt to review the prompt!
The suggested lines for comments seems off:
Note
Not a criticism, just flagging that this is a recurring problem I've noticed when using my own prompts.
There was a problem hiding this comment.
LLM's are bad at counting lines apparently 😞 -> also this issue in progress microsoft/vscode#280523
There was a problem hiding this comment.
Yup. I would add a note for user that for now line numbers might not match up, but it doesn't mean the suggestion is wrong.
There was a problem hiding this comment.
It'd be nice to have a README.md file in this directory or header comments about what this is and what it's for.
There was a problem hiding this comment.
this is just for testing the current work, will be removed before merging
|
|
||
| ### 3. Code Quality & Maintainability | ||
| - **System design**: How well do the various pieces interact together? Is the integration with the overall system well-designed? | ||
| - **Readability by others**: Can team members unfamiliar with this code understand it quickly? Is it written for humans first? |
There was a problem hiding this comment.
| - **Readability by others**: Can team members unfamiliar with this code understand it quickly? Is it written for humans first? | |
| - **Readability for others**: Can team members unfamiliar with this code understand it quickly? Is it written for humans first? |
|
|
||
| ### 6. Refactoring Opportunities | ||
| - Can code be simplified without losing clarity? | ||
| - Are there overly complex conditionals that could be simplified? |
There was a problem hiding this comment.
| - Are there overly complex conditionals that could be simplified? | |
| - Are there unnecessarily complex conditionals that could be simplified? |
…tting for feedback items
… feedback guidelines
- Created package.json for project dependencies and scripts. - Added styles.css for alert button component with accessibility support. - Implemented test setup in test-setup.js for Node environment. - Developed HTML test suite for alert button functionality. - Created utils.test.js to test utility functions with localStorage mocks.
… and clarity on feedback scope
…ecessary sections
…elines and clarify full file review conditions
3 participants
Description
Tell us what you changed and why.
Related Issues
Closes #ISSUE_NO
Type of change
How did you test?
leverage
test-codefor testing against thecode-review.prompt.mdNote
This code will be removed before merged
By default
/code-reviewwill review uncommitted changes/code-reviewOther methods
By selected lines:
/code-reviewBy file in context window:
/code-reviewChecklist